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Abstract. In this paper we present a p-adic algorithm to compute the zeta func- 
tion of a nondegenerate curve over a finite field using Monsky-Washnitzer coho- 
mology. The paper vastly generalizes previous work since in practice all known 
cases, e.g. hyperelliptic, superelliptic and C a b curves, can be transformed to fit 
the nondegenerate case. For curves with a fixed Newton polytope, the property of 
being nondegenerate is generic, so that the algorithm works for almost all curves 
with given Newton polytope. For a genus g curve over ¥ p n, the expected run- 
ning time is 0(n s g 6 + n 2 p 6 ' 5 ), whereas the space complexity amounts to 0(n 3 g 4 ), 
assuming p is fixed. 
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1 Introduction 

An important research topic in computational number theory is the determination of the 
number of rational points on an algebraic curve C over a finite field F p n . More generally, 
one is interested in the computation of its Hasse-Weil zeta function 
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which turns out to be a rational function [10] (and hence a finite, computable object) that 
contains a huge amount of arithmetic and geometric information about C . For instance, if 
one wants to use a cryptosystem based on the discrete logarithm problem on the Jacobian 
variety Jac(C), one should be able to compute the cardinality of its set of rational points, 
which is fully determined by Z-^{i). Efficient point counting algorithms can also provide 
important heuristical (counter)evidence for several conjectures concerning the asymptotic 
behavior of the number of points on algebraic curves (see for instance [14,22,37]). 

Mainly because of its applications in cryptography, a significant amount of work has 
been done in the field of elliptic curve point counting. This roughly resulted in two types 
of algorithms. Schoof developed a so-called £-adic algorithm [40], using torsion points 
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to determine the number of points modulo small primes i ^ p. This algorithm has 
polynomial running time in the input size ~ nlogp. On the other hand, Satoh invented 
a p-adic method [39], using the Serre-Tate canonical lift of the curve. Unlike Schoof's 
algorithm, its running time is exponential in log p. For fixed (small) p however, it is much 
faster, especially due to several improvements made in the past few years (see [44] for 
an overview). 

Generalizing the above techniques to curves of any genus is a nontrivial task, since 
both methods make explicit use of the geometry of elliptic curves. Another concern is 
that the resulting algorithm should also have a good time complexity in the genus g of the 
input curve, as its size should now be measured as ~ gnlogp. So far, all attempts using 
the £-adic approach yield impractical algorithms for g > 2 (see [16] for a treatment of the 
.9 = 2 case, see also [20, 21, 36]), but the p-adic story is more successful. In 2001, Kedlaya 
found a non-obvious way to 'generalize' Satoh's method to hyperclliptic curves of any 
genus 3 [23], using a rigid analytical lift instead of the canonical lift. The big technical 
tool behind Kedlaya's algorithm is Monsky-Washnitzer cohomology (see [33-35] and the 
survey by van der Put [43]). 

A particularly nice aspect of Kedlaya's method is that there are no obvious theoretical 
obstructions for generalizations to larger classes of curves. This observation soon resulted 
in point counting algorithms for superelliptic curves [15] and C a i, curves [9]. In the present 
paper, we vastly generalize the previous by presenting an algorithm that determines the 

zeta function of so-called nondegenerate curves. These are curves in \ {0}^ that 

are defined by a Laurent polynomial / £ F p n [x ±1 , y ±:L ] that is nondegenerate with respect 
to its Newton polytope. We refer to Section 2 for the definition but mention here already 
that this condition is satisfied for generically chosen Laurent polynomials with given 
Newton polytope. 

The main result can be formulated as follows. 

Theorem 1. There exists a deterministic algorithm to compute the zeta function of a 
genus g nondegenerate curve over¥ pn that requires (^(n 3 ^) bit- operations and 0(n 3} l/ s ) 
space for p fixed. Here, \P t and \I/ 8 are parameters that depend onjhe Newton polytope of 
the input curve only; for 'most common' Newton polytopes, & t — 0(g 65 ) and<P s = 0(g 4 ). 

For explicit formulas for \P t and \P 8 wc refer to Theorem 8 (Section 7). Recall that the 
Soft-Oh notation O neglects factors that are logarithmic in the input size. The notion 
'most common' is not intended to be made mathematically exact. It just means that the 
Newton polytope should not be shaped too exotically. We refer to Section 7 for more 
details. 

It is worth remarking that Kedlaya's method is not the only p-adic point counting 
technique that is being investigated for higher genus. In 2002, Mestre adapted his so- 
called AGM method to ordinary hyperclliptic curves of any genus over finite fields of 
characteristic two [32]; it has been optimized by Lercier and Lubicz [31], while Ritzen- 
thalcr extended it to non-hyperelliptic curves of genus three [38]. These algorithms have 
running time 0(n 2 ) (for fixed p and g) but are exponential in the genus. Another in- 
teresting approach is to combine Kedlaya's ideas with Dwork's deformation theory [11]. 
This was first proposed by Lauder [29] and has been studied in more detail by Lauder 
himself [30], Gcrkmann [17] and Hubrechts, who recently obtained a memory efficient 
version of Kedlaya's original algorithm [19]. Independently, Tsuzuki used similar ideas 
for computing certain one-dimensional Kloosterman sums [42] . 

The remainder of this paper is organized as follows: Section 2 recalls the definition of 
nondegenerate curves, illustrates that a wealth of information is contained in the Newton 

3 This was over finite fields of odd characteristic. The characteristic 2 case was treated in [8]. 
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polytope and ends with a new result on the effective Nullstellensatz problem. Section 3 
contains a novel method to explicitly compute a basis of the first Monsky-Washnitzer 
cohomology group and Section 4 describes an algorithm to lift the Frobenius endomor- 
phism. An algorithm to compute modulo exact differential forms is given in Section 5. 
Section 6 discusses the simplifications when the curve is commode and monic. Finally, 
Section 7 contains the detailed algorithm and complexity estimates and Section 8 con- 
cludes the paper. 

Preliminaries. Instead of giving a concise resume of the cohomology theory of Monsky 
and Washnitzer, we immediately refer to the survey by van der Put [43] (or to the short 
overviews given in e.g. [23] or [9]). The idea behind the present algorithm is then simply 
to compute all terms in the Lefschetz fixed point formula [43, Formula (1.2)] (or [23, 
Theorem 1] or [9, Theorem 1]) modulo a certain p-adic precision. 

Notations and conventions. Throughout this article, x and y are fixed formal vari- 
ables. For any integral domain R and any subset S C B 2 , we denote by R[S] the ring 
generated by the monomials that are supported in S, i.e. 

R[x i y j | eSnz 2 ]. 

For instance, R[N 2 ] is just the polynomial ring R[x,y], R\L 2 ] is the Laurent polynomial 
ring i?^ 1 ,^ 1 ], and so on. If R is a complete DVR with local parameter t, and if R[S] 
is a finitely generated i?-algebra, we denote its i-adic completion by R{S) and its weak 
completion by R(S)^ , see [43] (or [23] or [9]) for the definition. Finally, if K is a field, K 
denotes a fixed algebraic closure. 

When dealing with cones or polytopcs in Mr, we will often implicitly assume that 
they are of full dimension, that is: they are not contained in a line. However, this will 
always be clear from the context. If there is possible doubt, the condition will be stated 
explicitly. 



2 Nondegenerate Curves 

Let K be an arbitrary field and denote with = SpecK[Z 2 ] the two-dimensional alge- 
braic torus over K. Consider 

f(x,y)= ]T /uzy G K[Z 2 ] 

with S a finite subset of Z 2 and fij G K \ {0} for all G S. The set S is called the 
support of /. Denote by r — r(f) the convex hull in R 2 of the points G S, it is 

called the Newton polytope of /. The boundary of J 1 is denoted by dr. The faces of r 
can be subdivided according to their dimension: vertices, edges and r itself. Let 7 be 
an edge between the integral points (a, 6) and (c,d), then the arithmetic length £(7) is 
defined as £(7) = gcd(a — c,b — d) G N \ {0}. Note that the number of integral points on 
7 is equal to + 1. 

Definition 1. Let f(x,y) — ^(i Ji3 )es fi,i x% V^ G K[Z 2 ] be a Laurent polynomial with 
Newton polytope r. For each face 7 of r, define f 7 (x,y) — j)G7nz 2 fi,j xl D 3 ■ Then f 
is called nondegenerate with respect to its Newton polytope if for all faces 7, the system 
of equations 

Of-y df-y 



has no solutions in the torus Tj| (that is, there are no solutions in (K \ {0}) ). 
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Before recalling the geometric meaning of this notion, we prove that a sufficiently 
generic Laurent polynomial with given Newton polytope will be nondegenerate. This is 
well-known in the characteristic case. 

Lemma 1. Let r C M 2 be the convex hull of a set of points in Z 2 . Consider the map 

if : Z 2 -» : i * 

Then the dimension of the affine subspace of A 2 , spanned by tp(T n Z 2 ) equals dim/ 1 . 

Proof: This is not entirely trivial if K is of characteristic p ^ 0. As the dimF = case 
is obvious, we first suppose that dim/ 1 = 1. Take points qi ^ qi G r H Z 2 and suppose 
that (fi(qi) = <p(q2)- Then we must have that q 2 = qi + p e v for some e G No and some 
nonzero v G Z 2 that is not divisible by p. Because r is convex, it also contains q\ + v, 
and definitely (p(qi) 7^ ^(fli + v). 

Now suppose dimT = 2. Take points (71, 92 G -T n Z 2 such that y(<Zi) 7^ ^(92)- Take 
a g 3 G r n Z 2 that is not in the span of q x and (72, but suppose <p(g 3 ) is in the span of 
<fi(qi) and p(g 2 ), say 

93 =Qi + fc(<?2 - 9i) +P e v 

for some e G N and some nonzero v G Z 2 that is not divisible by p and linearly 
independent of q 2 — q\ . Note that although this expansion is far from unique, there is a 
natural upper bound for e, so that we may assume that it is maximal. Indeed, if we write 
<7 3 — q\ = (01, a<i) and qi — q\ = (61, 62), then it is not hard to see that p e |&20i — a 2 bi ^ 0. 
As a consequence, <p(v) and ip(q2 — qi) are linearly independent, since otherwise this 
would contradict the maximality of e. 

Next, we may suppose that < k < p e by repeatedly replacing p e v <— p e v±p e (q2 — qi) 
if necessary. We may even suppose that k ^ 0, since otherwise we can proceed as in the 
dim r = 1 case. Now define 

fc - 1 p e - k 1 

q = — —qi h —qi + —qz = q2 + v. 

p e p e p e 

The first equality shows that q E T, the second one shows that q G Z 2 . Finally, ip(q) is 
not in the span of <p(qi) and ^(92 )• □ 

Proposition 1. Let r be a convex polytope in K 2 with integral vertex coordinates and 
write S = r (~l Z 2 . T/ien ifte set of points 

(/ij)(ij)es e A# 5 

/or w/iic/i / = J2fi,j xl V : ' * s not nondegenerate with respect to its Newton polytope is 
contained in an algebraic set of codimension > 1. Moreover, this algebraic set is defined 
over the prime subfield of K. 

Proof: Let 7 be a face of r. Suppose for now that it is two-dimensional. Let X 1 be the 
algebraic set in Aj^ 5 x (Ak \ {0}) 2 defined by the equations 

]T /,.,'•'//' o, Yl '/<-.r''V "• E iA^V = o. 

(ij')£7nz 2 (ij-)e 7 nz 2 (ij-)e 7 nz 2 

It has codimension 3. Indeed, for every a, b G K \ {0} the above equations define a 
linear codimension 3 subspace of Ajf 5 x {x = a,y = b}. Here we used that there is no 
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(a, b, c) G K 3 \ {(0, 0, 0)} such that a + bi + cj = for all G ip(j n Z 2 ), where ip 

is the map from the foregoing lemma. Let Yy be the projection of X 1 on A^ 5 . It has 
codimension at least 1 and consists exactly of those {fi,j)u,j)es that correspond to a 
Laurent polynomial for which the nondegenerateness condition with respect to 7 is not 
satisfied. 

If 7 has dimension < 2, one can again construct such a Y 1 using an appropriate 
change of variables so that / 7 becomes a univariate Laurent polynomial, or a constant. 

Then the Zariski closure of U 7 F 7 is the requested algebraic set. Remark that U 7 1 7 
may contain points that correspond to Laurent polynomials that are nondegenerate with 
respect to their Newton polytope: this will be the case whenever they have a Newton 
polytope that lies strictly inside r. □ 

Corollary 1. Let r be a convex polytope in R 2 with integral vertex coordinates and let 
p be a prime number. Let P n be the probability that a randomly chosen f G F p n [Z 2 ] with 
support inside T is nondegenerate with respect to its Newton polytope. Then P n — > 1 as 
n — > 00. 

Note that Proposition 1 is false if the condition of r being convex is omitted: 
S = {(0, 0), (p, 0), (0,p)} is an easy counterexample (where p > is the field char- 
acteristic). Another important remark is that Proposition 1 cannot be generalized to 
higher dimensions. For instance, any trivariate polynomial having 

r = Conv{(0, 0, 0), (1, 0, 0), (0, 1, 0), (1, l,p)} 

as its Newton polytope (where p > is again the field characteristic) will have a singular 
point in the three-dimensional algebraic torus. 

Clearly, when / is nondegenerate with respect to its Newton polytope, then f(x, y) — 
defines a non-singular curve on the torus T 2 , (at least if dimT = 2). But nondegener- 
ateness is much stronger: it implies that there exists a natural compactification Xp of 
Tjj^ in which the closure of this curve is still non-singular. 

2.1 Toric Resolution 

The construction of Xp is based on the theory of toric varieties. We refer to [7] for the 
general theory. For the convenience of the reader, we will explain the needed material in 
a self-contained way. 

To any cone A G M 2 , i.e. the set of linear combinations with non- negative real 
coefficients of a finite number of vectors in Q 2 , we associate the affine toric surface 
X A = SpecKLd]. 

Let r be a polytope in M 2 , then we can associate a toric surface Xp to r in the 
following way: to each face 7, associate the cone ^(7) generated by all vectors in 

{x — p I x G r,p G 7} . 

Let be the affine toric surface X^ 7 y If 7 C r with r another face of r, then 
^(7) C A(t) and K[Z\(r)] is obtained from K[Z\(7)] by adjoining the inverse of each 
monomial x l y J G K[Z\(7)] for which (i,j) G Lin(r). Here Lin(r) is the linear subspace 
of R 2 generated by the differences of vectors in r. Thus, SpecK[Z\(r)] is obtained from 
SpecK[Z\(7)] by cutting away some zero locus. Otherwise said: U T is canonically embed- 
ded in Uj as a Zariski-open subvariety. Note that Ur = T 2 ,, so is canonically an open 
subvariety of each variety U 1 . The surface Xp is then covered by the affine toric surfaces 
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£/ 7 where 7 runs over all vertices of T. Two such surfaces C/ 7l and J7 72 are glued together 
along their common open subvariety U T with r the smallest face of T containing both 71 
and 72. The surface Xp is complete and normal. Note that the toric surface associated 
to (any multiple of) the standard 2-simplex is just the projective plane Pj|. 

To every face 7 we can associate the algebraic torus T 7 = SpecK[Lin(7)]. Since 
Lin(7) C ^(7), we obtain a surjective homomorphism from K[Z\(7)] to K[Lin(7)], by 
mapping the monomials x l y J with (i,j) E Z\(7) \Lin(7) to zero and the other monomials 
to themselves. This canonically identifies T 7 with a closed subvariety of U 1 . Note that 
dimT 7 = dim 7 and that Xp is the disjoint union of the algebraic tori T 7 , with 7 running 
over all faces of T. Furthermore, the closure of T 7 in Xp is the disjoint union of all the 
T T with r a face of 7. Although Xp may have singularities, it is smooth outside the 
zero-dimensional locus associated to the vertices of T. 

Now, let f(x, y) E K[Z 2 ] be a Laurent polynomial and let T be its Newton polytope. 
Let V(f) denote the closure in Xp of the locus of / in the torus Tj|, then V(f) is called 
the toric resolution of the affinc curve defined by f(x,y) = on Tj|. Restricting V(f) 
to U 1 , it is easy to verify that V(f) fl T 7 equals the locus of x~ t y~ 3 / 7 in T 7 , where 
(i, j) E 7 n Z 2 . A standard calculation then shows that V(f) intersects the torus T 7 
transversally and does not contain T T for any vertex r of 7 if / 7 , df^/dx and df^/dy 
have no common zero in Tj|. 

In conclusion: the toric compactification Xp of can be written as the disjoint 
union 

Xp = T^UTi U •• • UT r UPi U ••• UP r (1) 

with r the number of edges (and thus also the number of vertices) of T, Tk the one- 
dimensional torus associated to the fc th edge and Pk the zero-dimensional torus associated 
to the k th vertex. If / is nondegenerate with respect to its Newton polytope T, then V(f) 
is a complete nonsingular curve on Xr that does not contain Pk for k — 1, . . . , r and 
intersects the tori Tk transversally for all k. 

2.2 Riemann-Roch and the Newton Polytope 

Most results in this subsection are easy consequences of known more general theorems [7] . 
For the convenience of the reader we will give a self-contained exposition. Throughout, 
assume that IK is perfect. Let / E K[Z 2 ] be nondegenerate with respect to its Newton 
polytope r and let C = V(f) C Xp be the toric resolution of the curve defined by / 
on Tj^. Enumerate the vertices pi, . . . ,p r clockwise and let tk be the edge connecting pk 
with pk+i (where p r +i = pi)- Let Pk C Xr be the zero-dimensional torus corresponding 
to pk and let Tk C Xp be the one-dimensional torus corresponding to tk- 

For each tk, denote with e& the vector (afe,&fe) E Z 2 with gcd(a/c,6/c) = 1 which is 
perpendicular to tk and points from tk towards the interior of T. Define N k — Pk ■ &k- 
Note that instead of pk we could have taken any vertex on tk, since the difference is 
perpendicular to e^. 

Define the divisors Dc,r and Wc as 

D c ,r = - N k(T k nC) and W c = ^ (T k nC). 

fc=l,...,r k— l,...,r 

The notation Dc.r emphasizes that this divisor not only depends on C, but also on T . 
Indeed if we replace / by x l y^ f ', then T is replaced by T + but C remains the 

same. Since from the context it will always be clear what T is, we will mostly write Dc 
instead of Dc,r- 
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For any subset 4cK 2 , denote with La the K- vector space generated by x l y J with 
(i, j) E An 1? . If D is a divisor on C which is defined over K, then C(D) denotes the 
corresponding Riemann-Roch space 

{/eK(C)\{0}| (/)+£> >0}U{0}. 

Note that Dc,r and Wc are defined over K. If K C K' is a field extension, we write 

jCk'(D) = {/ g K'(C) \ {0} | (/) + D > 0} U {0}. 

Note that £^{D) is generated by C{D) because K is perfect. In particular we have that 
dim K £(L>) = dim g >%(£>). 

We will often abuse notation and write things as La C C(D), though the latter is 
defined as a subspace of the function field K(C). 

Lemma 2. Let g be a Laurent polynomial with support in mP for some m G No- Let P 
be a point in C \ Tj| and denote with tk the edge of r such that P G Tk ■ Then we have: 

1. oidp(g) > -oid P (mD c ); 

2. If g m t k = ft k = has no solutions in T^, then equality holds. Conversely, if equality 
holds for all P G T^, then g m t k = ft k = has no solutions in Tj|. 

Proof: Let pt + a be the integral point on tk that is closest (but not equal) to pk- Let 
efe = (a*;, &fc) be as above, then a = (— 6fe, a*;). Choose a vector [3 — (c, d) such that 

*(^^)-'- 

Note that the cone Zi(ifc) is generated by a, —a,/?, so that J7i fc = SpecK[x', x'^ 1 , y'] = 
A| \ Ajj. Here 

a;' = x~ bk y ak 
y' = x c y d 

and Tk corresponds to the locus of y' = minus the origin. Since C intersects Tk 
transversally, we have that y 1 is a local parameter for C at P. Also note that x' is a unit 
in the local ring at P. The inverse transformation is given by 

x = x'- d y' a « 

y = x' c y' hk [ ' 

so that, using the notation e' k = (—d,c), 

x i y j = x 'e' k -(i,j) y 'e k -(i,j)_ ^ 

Now if (i, j) G mf, then ek ■ (i,j) > rn(ek • Pk), with equality iff G mtfc. Hence 

y) = y' m ^- p "\g m t k {x'- d , x' c ) + y'{- ■ ■ )). (4) 

Since ek ■ Pk = — ordpDc, the assertions follow. Indeed, f tk (x'~ d ,x' c ) vanishes at P, 
because (4) also holds for g replaced by / and m = 1. □ 

Corollary 2. 
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1. For i,j G Z, the following holds: 

Div c (x i y j )= (hj)-e k (T k nC), 

k— l,...,r 

which implies that L m p C C{mDc) for any m G No- 

2. The arithmetic length l(tk) equals #(T& n C). 

Proof: The first statement follows immediately from (3) and the inequality on the line 
below it. The second statement follows from the last assertion in the above proof, namely 
that the points of Tk n C correspond to the zeros of f tk (x'~ d ,x' c ). Now the latter can 
be written as a power of x' times a degree l(tk) polynomial in x' with non-zero constant 
term and without multiple roots. □ 



Corollary 3. Let f y denote the partial derivative of f with respect to y, then 

Div c [-^- ) =D C -W C . 



xyf, 



In particular, the differential form dx/{xyf y ) has no poles, nor zeros on C (~l Tj|. 



y) 

2 



Proof: First, let P be a point of C \ Tj|. We have to prove that 

ordp ^ X — ordpDc — 1 • 
x Vfy 

With the notation as in Lemma 2, we have that f tk (x'~ d (P), x' c (P)) = 0, where k is 
such that P G Tfe. Thus, because of the nondegenerateness of /: 

(x^t)^ d (P),x' c (P))^0 or ^y^y x '- d (P), x -(P))^0. 

We may suppose that the second condition holds. Indeed, the first case is treated anal- 
ogously using that dx/xyf y = —dy/xyf x . Moreover, ordpx is not a multiple of the 
characteristic p of K. Indeed if it was, then from formulas (2) and the material above 
it, au = mod p and a = (— 6fe,0) mod p (if p = 0, these congruences become exact 
equalities). Hence ft k has a special form: it equals a monomial with exponent pk times 
a Laurent polynomial with all exponents of y divisible by p. This Laurent polynomial 
vanishes on (x'~ d (P), x' c (P)), because x' is a unit at P. But this contradicts the assumed 
second condition on 

oy 

Now apply Lemma 2 (and its proof) with g replaced by yf y to find that ordpyf y = 
—ordp(Dc)- Since ordpx is not divisible by p, we have that ordpdx/x = —1 and the 
result follows. 

Next, take P G C (~l Tj|. Write P = (p x ,p y ). Because of the nondegenerateness we 
have that f|(P) ^ or f^(^) 0- I n particular, dx/xyf y = —dy/xyf x can have no 
pole at P. For the same reason, x — p x or y — p y must be local parameters at P so that 
for instance dx/xyf y = d(x — p x )/xyf y can have no zero at P. □ 

As a consequence, Dc — Wc is a canonical divisor. This observation allows us to give 
an elementary proof of a well-known result. See [26] for much more general theorems on 
this matter. 

Corollary 4. 



8 



1. 2g — 2 = deg Dq — deg Wc, with g the genus of C. 

2. g = #((-T \ dr) fl Z 2 ), i.e. the genus of C is the number of interior lattice points in 

r. 

Proof: 1. From the Riemann-Roch theorem it follows that the degree of a canonical 
divisor is 2g — 2. 

2. Because of Pick's theorem [18], which states that 

voi(r) = #((r \ an n i?) + M^EIHl} i, 

it suffices to prove that deg Dc = 2Vol(/ n ). For every edge tk, consider the triangle Ak 
defined by the two vertices of tk and the origin. If the origin happens to be one of the 
vertices, this is just a line segment. Then 

Vol(r) = ^-sgn(iV fc )Vol(Z\ fc ). 

k 

Now Ak is a triangle with base Z(ifc) ||efc|| (the length of tk) and height \pk ■ efc|/||efc||, so 
that its volume equals l(tk)\Nk\/2. The result follows. □ 

We note that the inequality g < #((r \ dT) n Z 2 ) holds in any case, i.e. without the 
nondegenerateness condition. This is Baker's formula: over C it was known already in 
1893, a proof of the general case can be found in [3]. 

We conclude this subsection with the following theorem, which is an easy consequence 
of the fact that H l (Xr,£) = for any i > 1 and any invcrtible sheaf £ on Xp which is 
generated by its global sections (see [7, Corollary 7.3 and Proposition 6.7]). But for the 
convenience of the reader we will give a more elementary proof. 

Theorem 2. For any m G No, the Riemann-Roch space C(mDc) is equal to L m r- 

Proof: For our proof, the abuse of notation mentioned at the beginning of this subsec- 
tion is somewhat annoying. Therefore, we will temporarily introduce the notation A m , 
which denotes the image of L m r inside the function field K(C). Note that the actual 
statement of the theorem should then be: C(mDc) = A m - 

We already showed that A m C C(mDc)- Therefore, it suffices to prove that the 
dimensions are equal. From Corollary 4 and the Riemann-Roch theorem, we have that 
dim C{mDc) = mdegDc + 1 — g. Note that this is a polynomial of degree 1 in m > 1. 
Now consider the maps 

r m ■ L( m -\)r L mr :w>->wf, m > 1 . 

We claim that cokcr r m = A m . Indeed, we will show that the natural map 

coker r m > Am 

is injective. Let v 6 L m p be such that v = in the function field. Then there exists a 
unique Laurent polynomial q such that v = fq. Now for any k = 1, . . . , r, we have that 

ord Tfc w = ord Tfc / + ord Tfe g. 

Here, ordT fc is the valuation at Tk in Xp (which is nonsingular in codimension one). 
From formula (4) one deduces that ord.T k v > mNk (indeed, y' is a local parameter at 
Tk). Similarly, we have that ord^./ = Nk- Therefore, ord.T k q > (m — l)Nk- By a similar 
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argument, now using (3), we conclude that q G L( m -i)r, which proves the claim. Now 
by a well-known result by Ehrhart [13], dim L m p is a quadratic polynomial in m with 
leading coefficient Vol(T) for m > 0. As a consequence, 

dim.4 TO = dimcoker r m = dimi m r — dimL^ m _i^ r 

is just like dim C(mDc) a linear polynomial in m for m > 1. Therefore it suffices to 
prove equality for m — 1 and m — > oo. 

The case m — 1 follows from Corollary 4. Indeed, 

dim£(L> c ) = deg D c + 1 - g = 2g - 2 + #(clT n Z 2 ) + 1 - g = #(T n Z 2 ) - 1 , 

which is precisely dim„4i. 

For the case m — > oo it suffices to prove that 

dimL mr - dimi (m _ 1)r 
deg L>c = um 1 — • 

m— >oo m 

Since dimL m r = Vol(_T)m 2 + . . . , the right hand side is 2Vol(T) which is indeed 

2#(r \ or n z 2 ) + (6>r n z 2 ) - 2 = 25 - 2 + deg w c 

according to Pick's theorem [18]. □ 



2.3 Effective Nullstellensatz 

In this subsection, we prove a new sparse effective Nullstellensatz. Because this is inter- 
esting in its own right, things are treated somewhat more generally than is needed for 
the rest of the paper. Let IK be a field or a discrete valuation ring with maximal ideal 
m. Let / G K[Z n ] := K[xf 1 , . . . , x^ 1 ] define a smooth affine scheme over K. Then there 
exist Laurent polynomials a, /3i, . . . , (3 n £ K[Z™] for which 

1 = af + pixi H h (i n x n . 

ax i ax n 

Though this is well known, we give the following inductive argument for the DVR case 
(using the field case), for use in the proof of Lemma 3. Let i be a local parameter of K. 
Since / is a smooth affine scheme over K, there exist Laurent polynomials a, (3i, . . . , (3 n G 
Frac^^Z™] and ai,/?i, ...,j3 n £ K[Z"] such that 

df df 
I = af + p lXl -?- + ■ ■ ■ + (3 n x n -l- (5) 

df ~ df 

l = af + pixi- 1 h flnXn-z — modi. (6) 

ax i ax n 

Clearing denominators in (5) yields 

+ + (7) 

for some m G N and a',(3' l7 . . . , [3' n G K[Z™]. If m = we are done. If not, we can reduce 
m inductively by rewriting (6) as 1 + tQ = af + PiXi-^ + • • • + P n x n -§^-, for some 
Q G K[Z n ]. Now multiply this equation with t m_1 , multiply (7) with Q, and subtract. 
This concludes the proof. 

Next, for sake of being self-contained, we give the following definitions; they are 
straightforward generalizations of the corresponding notions defined in a previous sub- 
section. 
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Definition 2. The Newton polytope r(h) of a polynomial h £ K[Z ra ] is the polytope in 
M 11 obtained by taking the convex hull of the support ofh, i.e. the set of exponent vectors 
in Z" corresponding to monomials that have a non-zero coefficient in h. 

For any a C M™ , we denote by h a the Laurent polynomial obtained from h by setting all 
monomials whose exponent vectors lie outside of a equal to zero. 

Definition 3. Suppose K is a field and let h £ K[Z™]. Let r be a convex polytope in M. n 
with vertices in Z" and suppose h has support inside T. If 

dh^ dh-y dh-y , — > n 

i = Xl 7> — = X2 T> — = • • • = x n — — = has no solutions in T K :— (K \ |0}j 

for all faces j of T (including T itself), then it is said that h is nondegenerate with 
respect to T. 

Now, for reasons that will become clear in Section 4, we want the Newton polytopes 
of a, Pi, . . . , P n to be as small as possible. It will turn out that a natural bound exists 
whenever /, i.e. the reduction modulo m, is nondegenerate with respect to r(f), at least 
if the latter is n-dimensional and contains the origin. The main theorem is the following 
sparse effective Nullstellensatz, which seems new even when K = C. Our proof is inspired 
by an argument in [28], see also [2, Section 4]. 

Theorem 3. Let K be a field or a DVR, and denote its maximal ideal by m. Let r be a 
convex polytope in 1" with vertices in Z" and suppose that dim T = n. Let /o, /i, . . . , f n £ 
K[Z™] have supports in r and take a g 6 K[Z n ] with support in (n + Suppose that 
for every face 7 of r the system f 0l = ■ ■ ■ = /„ 7 = has no solutions in T™ K ^ . Then 
there exist h 0l . . . , h n £ K[Z n ] with support in nT such that g = hofo H h Kifn- 

Proof: Write k = K/m. Let Sp be the graded ring consisting of all fc-linear combinations 
of terms of the form 

t d x e , with d e N and e e dT n Z". 

The degree of such a term is by definition equal to d. Similarly, let Sp consist of the 
IK-linear combinations. 

Let A be the cone in M™ +1 generated by all vectors (d, e) with d £ N and e £ dT. 
Clearly S r = k[A\. Because the systems / = • • • = / = have no common solution 
in TJJ, the locus in Spec (S r ) of (tf , . . . , tf n ) consists of only one point. This is easily 
verified considering the restrictions of the locus of tfi to the tori that partition Spec (S r ). 
Hence 



(tfo,-. .,tf n ) 

has Noetherian dimension zero. On the other hand Sp is a Cohen-Macaulay ring by a 
well-known result of Hochster (see e.g. [7, Theorem 3.4]) that states that k[C] is Cohen- 
Macaulay for any cone C. So t/ , . . . , tf n is a regular sequence. This means that we have 
exact sequences 

Ui/o.--.f/i)Vi V(i/o,.--.»/ i )/j \(tfo- ■■•*/<+,) J t 

where the second arrow is multiplication by tf i+1 and where (• • • )d denotes the homo- 
geneous part of degree d. Thus 

dim fe ( -== ) = dim fe ( —= — =— ) - dim fe ( —=- 1 



(tf ,...,tf i+1 )l. \(tf ,...,tf i )J d V(*/ */*) 



d-l 
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By a result of Ehrhart [13], the number of lattice points in dr (which is precisely 
dimk{Sr)d) is a polynomial function in d for all d > 0. We obtain that 



dim fc 



S' 



(t/o, • • ■ , tf n ) J cL 



is a polynomial function in d for all d > n + 1 . Since the Noetherian dimension is zero, 
this polynomial must be zero as well. 

In particular, we have that the /c-linear map 

n 

W k : 0($)„ - (S h r ) n+ i ■ (t n h , • • • , t n h n ) ~ t n+1 (ho7o + ■■■ + Kin) 

»=0 

is surjective. But then necessarily the corresponding K-map 

n 

Wk : 0(5?)„ - (S£)„+i : (t"V • • • ~ t" +1 (^o/o + • ■ • + Kf n ) 

»=o 

is surjective. Indeed, let M be the matrix of Wk- Then its reduction modulo m is the 
matrix of Wk, so it has a minor of maximal dimension with non-zero determinant. But 
this means that M itself has a minor of maximal dimension whose determinant is a unit 
in K. □ 

The following corollary will be essential in devising a sharp bound for the rate of 
overconvergence of a lift of the Frobcnius endomorphism in Section 4. It will also allow 
us to translate the action of Frobenius on the first Monsky-Washnitzer cohomology space 
(consisting of differential forms) to a space of functions that will be introduced in the 
next section. The exact way in which this is done is described in STEP I and STEP V of 
the algorithm (Section 7). 

Corollary 5. Let K be a field or a DVR and denote by k its residue field. Let f e K[Z n ] 
and suppose that f and its reduction f € k[Z n ] have the same Newton polytope r, which 
is supposed to be n- dimensional and to contain the origin. If f is nondegenerate with 
respect to its Newton polytope, then there exist a, [3i, . . . , (3 n G K[Z™] such that 

l = af + Pixi^f- + ■■■ + P„x n p- 
ax\ ox n 

with r(a), r(/?i), . . . , r{fs n ) c n r(f). 

Proof: Apply Theorem 3 to /, m . . . , x n -§^. □ 

A second corollary to Theorem 3 is that an arbitrary lift of a nondegenerate Laurent 
polynomial with the same Newton polytope is again nondegenerate. 

Corollary 6. Let K be a DVR with residue field k and let f e K[Z™]. Suppose f and 
its reduction f have the same Newton polytope. If f is nondegenerate with respect to its 
Newton polytope, then so is f (when considered over the fraction field ofK). 

Proof: Let r = r(f) = r(f). Let 7 be any face of r. If / is nondegenerate with 
respect to r, then so is / with respect to 7. Using an appropriate change of variables, 
we can apply Theorem 3 to find a Laurent monomial x^ 1 . . . x^™ and Laurent polynomials 
go, gi, . . . , g n e K[Z n ] such that 

df df 
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In particular, / 7 = = ■ ■ ■ = x n§^r L = can have no solutions in T^ ac ( K )- □ 

We conclude this subsection with a discussion on what can happen if our Laurent 
polynomial is not nondegencrate with respect to its Newton polytope. In that case much 
worse bounds than the one given in Corollary 5 need to be used. We restrict our examples 
to the bivariate polynomial case, i.e. / £ K[x,y]. If K is a field, a quadratic upper 
bound follows from general effective Nullstellensatz theorems, such as [27, Theorem 1.5]. 
Example 1 shows that this bound is asymptotically sharp. If K is a DVR, it is even 
impossible to give bounds in terms of r(f), which is shown in Example 2. 

Example 1. Let IK be a field of finite characteristic p and let d > 2p be a multiple of p. 
Consider the degree d + 1 polynomial 

/ = y d+l + x d -PyP + 1 

(its definition is inspired by [27, Example 2.3]). It defines an irreducible, nonsingular 
curve in Aj|, so take polynomials a, (5, 7 £ K[x, y] such that 

ox ay 

Let A be the maximum of the degrees of a, (3, 7. Homogenizing the above equation with 
respect to a new variable z yields that z x+d+1 £ I. Here, I C K.[x,y, z] is the ideal 
generated by the homogenizations of /, i.e. 

I = (x d - p y p z + z d+1 ,y d ). 
Now consider its image / under the map 

K[x, y, z] -> K[y, z] : h(x, y, z) i-> h(l, y, z). 

Then 

I=(yPz + z d+1 ,y d ). 

It is easy to verify that no power of z less than d 2 /p can be contained in I, and a fortiori 
the same holds for /. Therefore, 

A> — -d-1, 
P 

which is 0((deg/) 2 ). 

Example 2. Let K be an arbitrary DVR with local parameter t. Consider / = y — txy + 
(t rn + t 2 )x 2 — 1 £ K[x, y] for some big natural number m (its definition is inspired by an 
example in [1]). Since the system of equations 

/ = y - txy + (t m + t 2 )x 2 -1 = 
U = -ty + 2(t m + t 2 )x =0 
§ = 1 - tx =0 



has no solutions, neither over K, nor over K/(t), there exist polynomials a, (3, 7 £ K[x, y] 
that satisfy 

l = a/ + /3— +7— . 

ox oy 
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Putting y = 1 + tx and reducing modulo t m gives the following identity in K/(t m )[x}: 
1 = a((l - tx)(l + tx) + t 2 x 2 - 1) + P(-t(l + tx) + 2t 2 x) + 7(1 - to;) 
= -t/3(l - tx) +7(1 - tx) = (7 - t/3)(l - tx). 

Since the inverse of 1 - tx in K/(t m )[x] is 1 + tx + t 2 x 2 H h t m ~ x x m ~ x , we conclude 

that 

maxjdeg/?, deg7} > dcg(7 — t/3) > m — 1. 

In fact, the above example shows that even the valuations of the coefficients of / do 
not suffice to give a Nullstellensatz bound. The best we can do are results of the following 
type. 

Lemma 3. Let K he a DVR with local parameter t. For every d S N \ {0} there exists 
a non-zero polynomial gd C K[cy]i.jgN,i+j<d of degree < 3{d 2 + l)(d 2 + 2)/2, /or wfticft 
t/ie following holds. If 

/= E eK[x,y] 

i+j<d 

defines a smooth affine K-scheme, then there are polynomials a, [3, 7 € K[x, y] smc/i t/iat 
l = a / + /3f|+ 7 f ™^ 

dega,deg/3,deg7 < d 2 (l + ord t g d (C y )). 

Proof: Given such an /, we know from [27, Theorem 1.5] that there exist a',f3',j' G 
Frac(K)[x, y] of degree < o! 2 for which 1 = ce'f + (3'^ +7'§£- In other words, the formula 

1= ( E ^«v) /+( E ^v) g+ ( E v«*v) i 

\i+j<d 2 / \i+j<d 2 / \j+j<d 2 / y 

gives rise to a system Sf of linear equations in n = 3(d 2 + l)(c? 2 + 2)/2 unknowns 
a 'i j ) /^ij 1 7ij that is solvable over Frac(K). Let 

r := maxrank(<S/) < n, 

and let f = J2i+j<d C-o^j^V'' be a polynomial for which this rank is actually obtained. 
Then <S/ has a non-zero (r x r)-minor, which is a degree r polynomial expression in the 
Cg.ij. Let gd(cij) € K[cy] be the corresponding polynomial. 

Now, using Cramer's rule, we can find a solution to Sf such that the valuations of 
the denominators appearing in this solution are bounded by ord t gd(Co,ij)- In fact, this 
statement holds in general: for any f = J2i+j<dCijX l yi , we can find a solution to Sf 
whose denominators are bounded by ord t gd{Cij). Indeed, either gd{Cij) equals zero, or 
it is a minor of maximal dimension of Sf. Now using the induction procedure mentioned 
at the beginning of this subsection, and again using [27, Theorem 1.5] (but now over the 
residue field), we get the desired result. □ 



3 Cohomology of Nondegenerate Curves 

Let ¥ q be a finite field with q = p n , p prime. Given a Laurent polynomial / G F g [Z 2 ] that 
is nondegenerate with respect to its Newton polytopc _T, let C denote the nonsingular 
curve V(f), i.e. the closure in of the zero locus of / in the torus T 2 ^. Here Xp is the 
toric F g -surface associated to r. Suppose that C has genus g > 1. Then without loss of 
generality we may assume that 
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1. 

2. 



there are d t > d b G Z such that r has a unique top vertex (with y-coordinate dt) 
and a unique bottom vertex (with y-coordinate d b ) 
the origin is an interior point of r. 



{c t ,d t ) 

/ r 




{cb,d b ) 



The two important consequences of this setting are that 

1. the set S := {x k y l \k,leZ, d b < I < d t } is an F 9 -basis for 

2. every h G F 9 [Z 2 ] has support in mf for some big enough m G N. 

To see why we may assume that r is of the above shape, take vertices v t and v b such that 
\\v t — v b \\ is maximal. Take a G Z 2 with coprime coordinates such that it is perpendicular 
to v t — v b . Let (3 G Z 2 be such that a — (ai,a 2 ), (3 = (/?i, /? 2 ) generate Z 2 over Z. There 
exist (71,72), (Si, 62) S Z 2 such that 



Then the isomorphism x <— x 71 y 72 , y <— x 5l y 52 yields unique top and bottom vertices 
of the Newton polytope. Moreover, it preserves nondegenerateness. For the second con- 
dition, remember that the number of interior points in r equals g > 1. Let (a, 6) be 
an interior point, then x~ a y~ b f is nondegenerate with respect to its Newton polytope 
r — (a, b) and clearly (0, 0) is an interior point of r — (a, b). 

Let Q g denote the unramificd extension of degree n of Q p with valuation ring Z g 
and residue field Z q /(pZ q ) = ¥ q . Take an arbitrary lift / G Z g [Z 2 ] of / such that 
r(f) = r(f) = r. Note that we have properties similar to the ones mentioned above: 

1. the set S := {x y \ k, I G Z, d b < I < dt } is a Z g -module basis for q L^ 1 ; 

2. every h G Z g [Z 2 ] has support in mF for some big enough m G N. 

Due to Corollary 6, / is also nondegenerate with respect to its Newton polytope (when 
considered over Q q ). As a consequence, if C denotes the nonsingular curve obtained by 
taking the closure in Xp (the toric Q g -surface associated to r) of the zero locus of / in 
Tq^, we have that g(C) = g(C). Also, for each edge 7 of r we have 



where T 7 (resp. T 7 ) is the algebraic torus associated to 7 over Q q (resp. over ¥ q ) and 
the intersections are transversal. These and other observations reveal a deep geometric 
correspondence between C and C that is directed by the Newton polytope. This is the 
main reason why we work with nondegenerate curves. Indeed, as in Kedlaya's algorithm 
it enables us to compute in the algebraic de Rham cohomology of C. Namely, we have 
the following very general theorem [24, Theorem 1]. 




I 



#(CnT 7 ) = #(cnT 7 ), 
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Theorem 4. Let Y be a smooth proper r L q -scheme, let Z C Y be a relative normal 
crossings divisor and let X = Y \ Z. If X is affine, then for any i £ N there exists a 
canonical isomorphism 

^ fl (*®z,Q,)^flW(*®z,F (I /0,) ) (8) 

where H % DR denotes algebraic de Rham cohomology and H\ lw denotes Monsky- Washnitzer 
cohomology. 

Z [Z 2 1 

The above theorem applies in our situation with X = Spec -jjj 1 and Y its closure 
in the toric scheme associated to r (this is constructed exactly as in Section 2.1, with K 
replaced by Z g ). This is a smooth proper scheme and by the above observations Z = Y\X 
is indeed a relative normal crossings divisor. 

An alternative proof of Theorem 4 (in the case of a nondegenerate curve) follows 
from the material in Section 5. There we will implicitly prove that the canonical map (8) 
with i = 1 is surjective. Since both Z ®% q ¥ q and Z ®% q Q q contain #(9r n Z 2 ) points, 
we have that the dimensions are equal, which shows that the map is an isomorphism: 

dim #1^X0^ Q q )= dim Hl IW (X ® Zg ¥ q /Q q ) = 2g + #(9fn Z 2 ) - 1 = 2Vol(r) + 1 . 

The last equality follows from Pick's theorem [18] and Corollary 4. This relationship 
between Vol(_T) and the Betti numbers of X ®% q Q q was already noticed in a much more 
general setting by Khovanskii [26]. 

As a first step towards constructing a basis for Hp R (X®z q Q q ), we prove the following 

theorem. Let A = ?L J , denote by D L (A) the universal Z g -module of differentials of A, 
and by d : A — > D 1 (A) the corresponding exterior derivation. Thus Hjj R (C n Tq ) = 

l$T ®*, Q q . 

Theorem 5. Every element of D 1 (A) ®% q Q q is equivalent modulo d(A) <8>z, Qq with a 
differential form u) with divisor 

DivcM > -D c -W c . 

Proof: First, suppose that all places Pk E C \ T 2 ^ are Q g -rational. Write Dc = 
Sfe=i a kPk- Since the origin is an interior point of r, all > 0. Note that Dc + Wc = 
J2k=i( a k + 1)-Pfe and that deg£>c = J2k=i a k > %9 ~ 2 due to Corollary 4. Now let 
u>' S D 1 (A) <g)z ? Q q have a pole of order bk + 1 > + 1 at some place Pk- Because of the 
Ricmann-Roch theorem, we can find a function h £ C{a\P\ + ■ ■ ■ + bkPk H — ■ + a r P r ) \ 
C{a\P\ + ■ ■ ■ + (bk — l)Pk + • • • + a r P r ). Then adding to u/ a suitable multiple of dh will 
reduce the pole order at Pk- Continuing in this way eventually proves the theorem in 
case all Pk are Q 9 -rational. 

The general case follows easily from the above, using that Dc and Wc are defined 
over Q q . □ 

In the above proof we reduced the pole orders one place at a time for simplicity. 
However, in the algorithm the reduction will proceed more simultaneously by moving 
from 'level' mDc + Wc to 'level' (m — l)Dc + Wc- Indeed, because of Theorem 2 we 
have a good understanding of what the spaces C(mDc) look like. For the same reason, 
it is more natural to work with functions instead of differential forms. 

Consider the following map 

A : A ®z q Q q —> D 1 (A) ® Zq Q q : h ^ h- * 



xyfy 
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Let a, [3 £ A be such that 1 = af x +[3f y . Then dx/ f y = f3dx — ady , which shows that A is 
well-defined. Moreover, for any gi, g% € Awe have that A(xy(f y g\ — f x g2)) — 9idx+92dy, 
so that it is in fact a bijection. By Corollary 3 we have Divc(A(h)) = T)iv(h) + Dc — Wc- 
Applying Theorem 5 shows that each differential form in D 1 (A) ®% <Q) q is equivalent 
modulo exact differential forms with an lo with divisor Divc(w) > — Dc — Wc- Take 
h £ A <S>z q Q q such that A(h) = w, then 

BW c (A(h)) = T>iv c (h) +D C -W C > -D c -W c ^he C(2D C ) ■ 

This shows that A(£(2D C )) generates H^ R (C n T^). 

To find an actual basis for Hp R (C fl Tq ), we define an operator D on A such that 
the image under A is an exact differential, i.e. dh = A(Dh). The definition of D follows 
easily from the following: 

dx 

dh = h x dx + hydy = xy(f y h x - f x h y ) — , 

x UJy 

and thus 

By Theorem 2 we have the following corollary. A related description, for nondegen- 
erate hypersurfaces of any dimension, is contained in [2, Corollary 6.10 and Theorem 
7.13]. 

Corollary 7. If the origin is an interior point of r, then A induces an isomorphism of 
Q q -vector spaces: 

fL r + D(L r ) = H hn(C nT* Qg ) . 

Note that the proof of the above corollary does not provide an explicit bound on the 
denominators introduced during the reduction, which is required to determine the p-adic 
precision up to which one has to compute. In Section 5 we describe a simple reduction 
algorithm and at the same time prove tight bounds on the loss of precision. 

4 Lifting Frobenius Endomorphism 

We begin this section by introducing the following notation. Write 

FJZ^] _ Z g (Z 2 ) t _ Z g (Z 2 )t 

(7) ' (/) ' (/) ' (/) ' 

and define the p th and q th power Frobenius endomorphisms 

T p :A^A:a^a p , T q :A -^A : a ^ a g . 

A main task in developing a point counting algorithm using Monsky-Washnitzer coho- 
mology is the computation of a Z p -algcbra endomorphism J- p : A^ — > A^ that lifts T v in 
the sense that T v o 7r = 7r o T p , where 7r is reduction modulo p. Then T q :— T v o • • • o T v 
is a Z g -algebra morphism that lifts T q . Note that decomposing T q into n copies of T v (p 
small) dramatically improves the running time of the algorithm: this is the main reason 
why p-adic point counting algorithms are especially well-suited for small values of p. 

First, we consider the following Hcnscl-likc lemma. In a paper subsequent to this one, 
Kedlaya gives a related result, with a more elegant proof [25]. 
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Lemma 4. Let T be a convex polygon in R 2 with vertices in 1? . Take a, b G N (not both 
zero) and let H(Z) = Y.h k Z k G Z q [Z 2 ][Z] satisfy 

1. r(h k ) C (ak + b)r for all k G N; 

2. ho = mod p; 

3. h\ = 1 mod p. 

Then there exists a unique solution Zq = X)(ij)ez 2 a i,j x% V^ S (p) C Z g (Z 2 ) to f/ie egwa- 
tton H(Z) = 0. Moreover, if m G N and (r, s) G Z 2 are sucft £/ia£ ^ m_T 7 i/ien 

ord o > — 

Ulu p«r,s ^ 2(a+b) ' 

Remark 1. Note that we implicitly force T to contain the origin: this follows from condi- 
tions 1 and 3. If T = {(0, 0)}, Lemma 4 is just Hensel's lemma over 1 q . Finally, remark 
that if (r, s) is not contained in any multiple of T, the above lemma implies that a r ^ s 
equals 0. 

Proof: The existence and uniqueness of Zq follow immediately from Hensel's lemma, 
applied over Z g (Z 2 ). Therefore we only need to prove the convergence bound. Let (r, s) G 
Z 2 and raeNbe such that (r, s) ^ mT. Then there exists an edge spanning a line 
eX + fY = c (e, /, c G Z), where T C G Z 2 | ei + fj < c}, such that er + fs > mc. 

Using a transformation of variables of the type used in Lemma 2, we may assume that 
e = 0, / = 1 and c > 0. Thus s > mc. 

Now, replace in H(Z) all occurrences of y~ x with a new variable t. We get 

with deg y /i/c.rcpi < + b)c. Note that the conditions for Hensel's lemma are still 
satisfied. So there exists a unique 

^0,rcpl= 51 K],kX l y j t k G (p) dlL q {x ±X ,y,t) 

(jj\fc)eZxN 2 

satisfying i? re pi(^o,ropi) = 0. If we substitute y^ 1 for t, we get precisely Z , due to the 
uniqueness statement in Hensel's lemma. Henceforth 

Or.s — ^ ^ b r j.fc. (9) 
j-k=s 

Let if be a suitably ramified extension of Q 9 and denote by R its valuation ring. Consider 

H'^{Z') = Y J ^ {k - V) h k {x,p-^ V ' ,t)Z' k e \t][Z'] 

obtained from H rcp i(Z) by substituting y <— p~ IJ ' 1 y', Z <— p^ 2 Z' and multiplying every- 
thing with p~^ 2 . Here /xi,/X2 are positive rational numbers to be determined later. We 
know that if 

M2 + iMi < 1 Vj < be, (10) 
J>i<l Vj<(a + 6)c, (11) 

and 

(k - 1)^2 > iMi Vj<(afc + 6)c (12) 

for fc = 2, . . . , deg iJ, then H^ epl has integral coefficients and iJ r ' opl (0) = and d ^|. c , p ' (0) = 
1 mod P. Here P is the maximal ideal of R. In that case, Hensel's lemma implies that 
there is a unique Z' 0lepl e p ' ^(^ ±1 , 2/', t) suc h tnat #rc P i( z o,rc P i) = °- Write 

(ij,fc)eZxN 2 
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and perform reverse substitution to obtain that 

(ij,fc)GZxN 2 

is a solution to iJ rep i(Z) = in P ■ i?(x ±1 , t). Again using the uniqueness statement in 
Hensel's lemma we conclude that this is precisely Z 0j c P i- As a consequence 

ordp&j^fc > jm + \i 2 - 

Using (9) we find that ord p a r ^ s > s\i\ + /i 2 > rac[i\ + fi 2 - This gives the desired result, 
since we can take [i 2 = %"a+l)c+e and Mi = 2(a+b)c+e for an y £ e < Q>°- D 

We are now ready to describe the construction of T v . In doing so, we will systemat- 
ically make a notational distinction between power series g and the cosets [g] (modulo 
/) they represent (something which is usually not done in order to simplify notation). 
Throughout, the assumptions about r made at the beginning of Section 3 should be 
kept in mind 4 . 

We will use a technique that was first described in [9]. Suppose we can find a Z E 
Z q (Z 2 ) ji and polynomials 5 x ,5 y € 7L q \E?\ such that 

ir(xP(l + 5 x Zo),y p (l + S y Z ))} = [0] in A\ 

where f a is obtained from / by applying Frobenius substitution 5 to the coefficients. 
Then 



[x] h-> [x p {l + S x Z )\ 
[y] i * [y p (1 + 6 y Z )} 



(acting on Z q by Frobenius substitution and extended by linearity and continuity) is a 
well-defined Z p -algebra morphism that lifts T v . 

Take P,~f3 x ,~j3 y € F 9 [Z 2 ] with support in 2F for which 

i = M + -p xX f x ^ y yf y 

(this is possible due to Corollary 5). Let 5, S x , S y be arbitrary Newton polytope preserving 
lifts of /f ,/3^ resp. f y . Then clearly r(8), r(5 x ), r(5 y ) C 2 P r. 

Now let x a y b be any monomial such that g(x,y) = x a y b f(x,y) has support in N 2 
and define G{Z) = x- pa y- pb g a {x p {l + S X Z), yP(l + S y Z)) e Z q [Z 2 ][Z], where g a is again 
obtained from g by applying Frobenius substitution to the coefficients. Since 

dC 

G(0) = f p and — {0) = l + {aS x + b5 y -S)f p mod p 
clZ 

we see that [G(Z)] = [0] has a unique solution [Z{\ that is congruent to mod p in the 
Henselian ring . However, Hensel's lemma does not provide any information on the 
convergence rate of Z\ (or any other representant of [Zi]). To solve this problem, define 

H(Z) = G(Z) - (aS x + bS y - 5)f p Z - f p . 



4 In fact, for this section it suffices that r contains the origin (not necessarily as an interior 
point). 

5 By Frobenius substitution we mean the map 7h q — > 1 q : ^2°l ^iP l >— * X^o 71 "^' wnere the 
m are Teichmiiller representatives. 



19 



Then clearly [G(iT)] = [H(Z)], but now the conditions of Hcnscl's lemma are satisfied 
over the base ring, so that there exists a unique Z G (p) C Z q {Z 2 ) for which H(Z n ) = 0. 
We have that [Z ] = [Z{\. Note that if we expand 

dcgif 

H(Z)= J2 h k (x,y)Z\ 

fc=0 

one easily checks that 

r(h k ) C (2k + l)pR (13) 

Therefore, we can apply Lemma 4 and conclude that Z = j)ez 2 a i,3 x% V^ where the 
aij satisfy: 

Tfl 

Mi, j G Z, m G N : £ mF ordpOij > — . (14) 

Our next step is to investigate what the convergence rate of Zq tells us about the 
convergence rate of Z x = 1 + S x Zq and Z y = l + 5 y Zo. Write Z x bi,jX l y : ' . We 
claim that 

TfX 

Mi,j G Z, m G N : (i, j) mF ordpfoj > —. 

op 

Indeed, since Zq = mod p, this statement is definitely true for m < 8p. If m > 8p, then 
22 1^ £ > Now suppose (i, j) ^ mf. Write ^ = S(i,j)e2 P r ^j^V '■ We know that 

k+r—i, £-\-s—j 

and since (fc, ^) G 2p.T, we know that all (r, s) appearing in the above expansion are not 
contained in (m — 2p).T. Therefore 

m - 2p m 
ord pbiJ > > -. 

These observations allow us to state the main result of this section. 
Theorem 6. There exist units Z x ,Z y G Z q {I?)^ such that 



J~p . A *■ A^ . 



N » [ x pz x ] 
[y] ~ [y p z y ] 



(extended by linearity and continuity and acting on 7L q by Frobenius substitution) is a 
well-defined Z p -algebra morphism that lifts T v . Moreover Z x , Z y , Z x x , Zy 1 satisfy the 
following convergence criterion: if G Z 2 ,m G N are such that ^ mF , then the 
coefficient of x % y^ has p-order > 

PROOF: It only remains to show that Z~ x and Z y x satisfy the convergence criterion. 
This can be done as in the proof of Lemma 4. We refer to [4] for a detailed proof. □ 

Remark 2. The larger denominator (9p instead of 8p) is a small price we have to pay 
during inversion, but it also allows us to write down a strict inequality (> instead of >). 
In this form, the convergence criterion is closed under multiplication, i.e. 



£ »i,jiVeZ,(z 2 ) 

(i,j)€Z2 



Mm G N, G Z 2 : ^mF => ord p a i;j > — } (15) 



9p 

is a ring. We will use this in Section 7. 
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5 Reduction Algorithm 



Throughout this section, r should again satisfy the assumptions made at the beginning 
of Section 3. An important step in our algorithm (see Section 7) is to reduce Laurent 
polynomials modulo the operator D defined in Section 3. Below we describe a procedure 
that solves this problem and prove that, after multiplying with a small power of p, 
the reduction process is entirely integral, which enables us to tightly bound the loss of 
precision. 

First, we need a few more theoretical results. Let {ti, . . . , t r } be the edges of T, let 
{Ti, . . . ,T r } C X r be the corresponding Q g -tori and let {T\, . . . ,T r } C X r be the 
corresponding F 9 -tori. The reductions mod p of the points in Tk fl C are precisely the 
points of Tk (~l C. For every k = 1, . . . , r, we can find Cfc, bk £ Z such that 

x Ck y bk (16) 

defines a local parameter, at both P and P, for each P e Tfc DC. Indeed, these assertions 
follow from the proof of Lemma 2: Cfc, bk depend only on the geometry of T. If in what 
follows we say 'local parameter over Z q \ actually any t £ Z g [Z 2 ]/(/) for which both t 
and its reduction mod p are local parameters at P resp. P will work. 

Below, let Q" r C Q q denote the maximal unramified extension of Q q and let Z q r be 
its valuation ring. Note that all places P £ C \ T 2 ^ are defined over Q q r . 

Definition 4. 

1. LetLW then for any set S of Laurent polynomials, define =SC\L^. 

2. Let L^ be the subset of consisting of those h for which the following holds. For 
every P £ C \ Tq^ , take a local parameter t over Z q . Then the condition is that 

L A{h) = Y^ atf Kez-) 

i—v 

satisfies ord^a^ > ord p z (alternative notation: i\di) for all i < 0. For any set S of 
Laurent polynomials let = S (~) L^K 

Again we remark that the above definitions are vulnerable to notational abuses. 
For instance, if S consists of cosets of Laurent polynomials, then consists of those 
Laurent polynomials having a representant in L^\ and so on. 

The set L^ appears naturally 6 when we apply the operator D = xy {^j-§^ — j^-§^j 
that was introduced in Section 3 to an element in L^ . 

Lemma 5. If h £ L<® , then Dh £ L^l 

Proof: Let P £ C \ Tq and let t be a local parameter over Z g at P. By the definition 
of D, we have 

^-A(Dh) = 1-dh. 
dt x 1 dt 

Write h = J2°Z V bit 1 , then clearly j^dh — Y^iLv which proves the claim. □ 



Lemma 6. Let D be a divisor on C which is defined over Q q and which has support in 
C \ Tq^ . Then C^°\D) is free and finitely generated over Z q . 

6 In [12, Proposition 5.3.1], Edixhoven uses a similar set. 
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Proof: We first prove that the following 'strong' version of Theorem 2 holds: for every 
m G No, the module £(°\mDc) is precisely given by L^ r . Take an element of C^ r , 
represented by some h G Z 9 [Z 2 ]. By Theorem 2, there is an a G Q g [Z 2 ] such that h + af 
has support in mP . Write a = ct\ + where all coefficients of ct\ are integral and all 
coefficients of a 2 are non- integral. We claim that h + ct\f has support in ml '. Indeed, 
suppose this were not true, then a 2 f has a non-zero term with support outside mP . This 
implies that a 2 has a non-zero term with support outside (to — \)P . Let aijX % yi be such 
a term. Then r has an edge spanning a line dX + eY = c (with r C {(r, s)\dr + es < c}) 
such that rfi + ej > (to — l)c. Consider the following monomial order: 

x r y s -< ir fe ?/ if rfr + es < rffc + e£ 

or if rfr + es = dk + el and r < k 

or if dr + es = dk + e£, r = k and s < I 

(where the last line is only of use if e = 0). We may suppose that x % yi is maximal with 
respect to -<. Take the term b rs x r y s of / that is maximal with respect to -< (in particular, 
dr + es = c). Then cnjb rs x l+7 V +s is a term of atzf with support outside mf. Because 
h + otif + otzf has support in mF and h + ot\f G Z 9 [Z 2 ], this implies that aijb rs is 
integral. But this is impossible, since aij is non-integral and b rs is a p-adic unit. 

Now since £(°)(£>) c C^\mDc) for some big enough to G No, and since the latter is 
finitely generated, we have that L^\D) is finitely generated as well. This follows from 
a well-known theorem on modules over Noetherian rings. But it is also well-known that 
every finitely generated and torsion-free module over a principal ideal domain is free, 
which concludes the proof. □ 

For the following two lemmata, fix a point P G C \ T 2 ^ and let Q 9 = D Q 9 be its field 
of definition. Denote the valuation ring with Z ?3 and the residue field with W q s . Write 
Gal(Q 9 s,Q 9 ) = {<7i,<72, . . . ,a s } with a\ = idq^ . Let P be the divisor Yli=i ^" 7i ■ Note 
that if t is a local parameter at P over 7L q , then it is a local parameter at any P ai over 
Z,. 

Lemma 7. Let E be an effective divisor on C which is defined over Q q and whose 
support is contained in C \ ^q q - Assume that degE > 2g — 2. Then there exists an 

h G C$ (E + P) such that: 

1. h has a pole at P of multiplicity ovdp{E) + 1. 

2. Let t be a local parameter over Z 9 at P. Then h has an expansion J2iLv ai ^' with 
all di G Z q s and a v a unit in Z qS . 

PROOF: Consider the following diagram where the vertical arrows are the natural reduc- 
tion modulo p maps: 



The vertical maps are surjective, since after tensoring with ¥ q they become clearly injec- 
tive and hence surjective since both have the same dimension by Riemann-Roch (here we 
used the foregoing lemma). Let h G £^ F s (E+P)\£g F e (E) and choose h G Cq^ s (E+P) 
such that h reduces to h mod p. □ 
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An important feature of the foregoing lemma is the following: if we replace P by 
P CT * for some a, E Gal(Q ?s , Q q ), then h a - E C^ s (E + P CTl ) again satisfies the above 
conditions. Indeed, o~i(a v ) is a unit in Z gS . 

Lemma 8. Let E be an effective divisor on C which is defined over Q q and whose 
support is contained in C \ Tq^ . Suppose that degE > 2g — 2, then the map 



( + ' £W(E + D C ) 



){E- 
is surjective. 

Proof: Let h E C^{E + D c + P) \ £W(E + D c ). By Corollary 3 we have DivA(h) 
Div/i + Dq — Wc- Let t be a local parameter over Z 9 at P, then 

ordp (^j^J = OYdp(h) + ord P (D c ) 

= -ord P (E + D C + P) + oidp(Dc) 
= -ordp(E) — 1 = — n , 



with n = ovdp{E + P). Therefore we have a local expansion 

t.A(h) 

= b t~ n + ht- n+1 + ■■■ , 



dt 

at P, with n\bo- Note that the expansions at the conjugate places P CTi are given by 



eft 



= ( j J (feo)^" + ^(6i)^ Il+1 + 



Using Lemma 7 we find an /i e (E + P) with power series expansion at P: 

h Q = a t- n + ai t- n+1 + • • • , 
and with ao a p-adic unit. Define 

hi=h + J2 -^rD(hZ) = ft + £> (W ^h ) ) E (E + Dc + P), 
f^no-iiao) u V \ na o J J 

then we have the following expansion at P: 

tAjhi) = tA(h) b Q tdh _ Q t _ n 
dt dt na dt 

and thus ordp ^ tA ^^ ^ > — n + 1. Similarly, the pole orders at all conjugate places P ai 
are reduced by at least 1. Note that 

ordp., (j^^j = ordp., (h 1 ) + ordp., (D c ) , 

since DivA(hi) = Div/ii + Dc — Wc- Hence we see that ordp.;(/ii) > — n + 1 — 
ordp^(D c ) = 1 - ordp^-E + D c + P), thus /ii e + D c ) which finishes the 

proof. □ 

A repeated application of the above lemma gives the following result. 
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Corollary 8. Let E be an effective divisor which is defined over Q q and whose support 
is contained in C \ T 2 ^ , then the map 



is surjective. 



The above corollary can be turned into a reduction algorithm and also provides a 
sharp bound for the loss of precision incurred during reduction. Indeed, since the Newton 
polytope r contains the origin as an interior point, any Laurent polynomial h G Z g [Z 2 ] 
will be contained in an L^ r with m G No big enough. Let 

e= log p max{-ordp(/i)} PeCVT 2^ 

then clearly p £ h G L^ r . So we can as well assume that h G £^r- By Theorem 2, we have 
C(mDc) = L m r and applying Corollary 8 with E = (m — 2)Dq (we can assume that 
m > 2, since otherwise no reduction is necessary), shows that there exists a g € L^_^ r 

such that h r = h — D{g) G C^(2Dc)- Note that after multiplication with p e the entire 
reduction process is integral, so if we want to recover the result h r modulo p N , we need 
to compute h modulo p N+£ . To finalize the computation, we need to express h r on a 
basis for Hj-> R (C (~iTq ), which could cause a further loss of precision, depending on the 
basis chosen. But clearly, as long a we choose a 'Z g -module basis' for Hp R (C (~l Tq ), no 
further loss of precision will occur. More precisely, we mean the following. Consider the 
module 

£(°\2D C ) 
H £>(£(£><?)) n L(°) ' 

then Mh is a free Z 9 -module since it is finitely generated and torsion-free. Therefore, 
any Z 9 -basis for Mh forms a suitable basis for Hj-> R (C fl 7q ), such that in the final 
reduction step, no further loss of precision is incurred. 

In the above description, we used any representant for an element of the coordinate 
ring of C; in practice however, we would like to work with a unique representant. Given 
the Newton polytope r of /, there are many possibilities to choose a suitable basis B 
for Q 9 [Z 2 ]/(/). The assumptions about r made in Section 3 already led to the following 
natural choice 

B = {x k y l | k,l eZ,d 6 < Z < d t ] , 

with (ct,dt) (resp. (cb,db) ) the unique highest (resp. lowest) point of r. 

Let S[ mitTn2 ] with mi < m2 denote the set of Laurent polynomials with support in 
the rectangle [mi,m 2 ] x [db,d t — 1], then the reduction process proceeds in two phases: 
the first phase reduces terms in <S[o, m ] with m G No and the second phase reduces terms 
in /S , [_ m ] with m e No. Since both phases are so similar, we will focus mainly on the 
first phase and briefly mention the changes for the second phase. 

Phase 1: Any clement h G S^ m ^ can be forced into by multiplying it with p e 

where 

e = [log p (mM x + A)] 

with M x = max{— ordp(a;)}p eC .\ T 2 and A = max{— ordp(y d * _1 ), — ordp(y db )} PeC \ T 2 . 
If we now want to apply Corollary 8 to an element h G «5^ TO p we need to find a divisor 
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E over Q q such that S$ m] C £^(2D C + E). Then by Corollary 8 there exists a, g E 

£ {0) (D C + E) such that h - D(g) G £ W (2D C ). In practice however, we do not want to 
work with explicit Riemann-Roch spaces; as such we want to find a divisor E (depending 
on to) and constants c\ , c 2 eZ (independent of to) such that 

S [0 , m] C £(2D C + E) and £(D C + E) C S[ Cl , m+C2 ] • 

The reduction algorithm then becomes very simple indeed: to reduce h G Spj^ m ] , we only 
need to find age S$ TO+C2 i such that /i — £>(<?) G £W(2.DcO, using linear algebra. 

Recall that the divisor of any function h G Q q (C) can be written as the difference 
of the zero divisor and the pole divisor, i.e. Div(h) — Divo(/i) — Divoo(/i), Divo(/i) > 

0, Divoo(/i) > and Supp(Divo(/i)) n Supp(Divoo(/i)) = 0. Furthermore, two trivial 
observations are that h G £(Divoo(/i)) and Div^/i -1 ) = Div (/i). Consider the divisor 

E m = -d b Div (y) + (d t - l)Divoo(y) + mDiv 00 (a;) 

then E m > and S 1 ^,™] C C(E m ) C C(2Dc + E m ), so we can apply Corollary 8 with 
_E = E m . Note that _E m is indeed defined over Q q . 

Remark 3. It is clear that the choice for E m is not entirely optimal, since we could sub- 
tract the contributions in 2Dc and still obtain the above inclusion. The most important 
simplification in practice is that 2F is 'likely' to contain the interval [db,dt — 1] on the 
y-axis and then E m can be simply taken to be TODivoo(x). However, in general this need 
not be the case. 

To determine the constants c\ and c 2 we first prove the following lemma. 

Lemma 9. Let E be a divisor on C which is defined over Q q and with degE > 2g — 2, 
and let h E Q q (C) be a function on C. Then for any to G No the following map is an 
isomorphism: 

£(£ + Divoo(/0) -h™-\ CjE + mDiv^jh)) 

C{E) r(f? + (m-l)Divoo(/i)) ' 

Proof: Since degE > 2g — 2 and Div^/i) > 0, the Riemann-Roch theorem implies that 
the dimensions of both vector spaces are equal to degDivoo(/i), so it suffices to prove 
injectivity. Let g G C{E + Div oc (/i)) and assume that h m ~ 1 g G £(E + (to — l)Div QO (/i)), 

1. e. 

(to - l)Div(ft) + Div(.g) >-E-(m- l)Di Voo (/i) , 

which implies that Div(g) > — E — (to — l)Div (/i). Since g G £(E + Divoo(/i)), i.e. 
Div(g) > — E — Divoo(/i) and the supports of Divo(/i) and Div^/i) are disjoint, we con- 
clude Div(g) > -E or g G £{E). □ 

In what follows, we will use the abbreviation E y — — d(,Div (j/) + (d t — l)Divoo(y), so 
E m = E y + mDiv oc (x). Choose integers K\ < and ^2 > such that £^°'(Dc + E y + 
Divoo(x) +Div (a;)) C S[ KltK2 ]. In particular, £(°>(Dc + Ex) C S[ Kl<K2 ]. This can then be 
generalized to the following. 

Corollary 9. £(D C + E m ) C S [Kum _ 1+K2 ]. 

Proof: Apply Lemma 9 with E = D c + E y and h = x. □ 
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Thus, given h G S$ m] wc find 5 G S|™ m _ 1+I(2] such that h - D(g) G £«(2£c) 
using linear algebra over Z q . However, for big m the linear systems involved get quite 
large, so we compute g in several steps: let ho = h and choose a constant c G No, then 
in step 1 < i < t (where t will be determined later) we compute a g% such that 

hi = hi-i-D( 9i )GS^ m _ ic] . 
In the last step, i.e. step t + 1 wc find a g t +i G TO _ tc _ 1+K2 j such that 

h t+1 = h t -D(g t+1 )e£W{2D c ). 

We postpone this last step until after Phase 2, since it is better to treat the last steps of 
both phases at once. To determine which monomials appear in the gi for 1 < i < t we 
prove the following lemma. 

Lemma 10. //me%ieZ with d b < k < d t , then D(x m y k ) G Sgl+m-Ma+m-i] ■ 

PROOF: By definition of D we have D(x m y k ) = x m y k (myf y - kxf x ). Note that the 
support of g = myf y — kxf x is contained in r and thus g G C(Dq)- Furthermore, by 
definition of E y we have y k G C(E y ). Therefore, by definition of K\ and k 2 we conclude 



that D(x m y k ) G S r (1) , , , tl . 



□ 



The above lemma finalizes the description of the algorithm: in step i it suffices to 
take gi in Sy ai ^^ with 

a, = m — ic — K2 + 2 and 6^ = m — (i — l)c + Ki — 1 , 

and to work modulo a; m_ic . There are two natural conditions that t and c should satisfy. 
The first one is related to the fact that we want to work in S , [ 0j +oo] only. Therefore, 

a t > —ni + 1 which is equivalent with tc < m + k\ — n 2 + 1 . 

The second condition keeps track of the fact that something which is already in £W (2Dc) 
cannot be reduced anymore. Therefore, choose integers 7 Xi < 0, %2 > such that 
C^(2Dc) C £[2xi,2x2]- ^ th cn suffices to impose 

tc<m — 2x2- 

The number of unknowns in the linear system of equations in step i is precisely the 
number of monomials in S^^j, which equals (dt — db)(c + 2k 2 — 2). Note that this also 
appears as a natural upper bound for the number of terms in £>(£[„. ^.j) modulo x m ~ tc , 
so we obtain a system with as least as many unknowns as equations. 



Phase 2: Since the second phase is very similar to the first, we will only briefly mention 
the main differences. To force an element h G S^ m j with m G No into S^} m p we need 
to multiply with p £ where 

e= [log,, (mM 1/x + A)] 
with M 1 / x = max{— ordp(x~ 1 )} PgC \ T 2 and A as before, so from now on assume that 

* Qq 

h G S^ m0 y The divisor E m now becomes E m = E y + mDiv 00 (x^ 1 ) and applying 
Lemma 9 with h = x~ x shows 

C(D C + E y + mDivoo^- 1 )) C S[ 



7 The parameters ki , K2 and \\ , \2 will be discussed more extensively in Section 7. 
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where ki,k 2 are chosen as in Phase 1. In step i we now compute a gi such that hi — 
hi-i — D(gi) G S^ m+ic j for some constant c G No- An analogue of Lemma 10 (replace 

S [ll+ m -l, K2+m -l] With Sg-m+l^-m+l]) finall y leadS t0 9i G ^k] ^th 

aj = — m + (i — l)c + «i + 1 and 6, = — m + ic — K\ — 2 . 

The number of steps t is determined by the following inequalities: 

tc < m + K\ — «2 + 1 and tc < m + 2%i . 

The systems to be solved have (d t — <4)(c — 2/ci — 2) unknowns, that are related by at 
most the same number of equations. 

Step t + 1: During Phase 1 and Phase 2, we reduced a given polynomial h G 
modulo D to obtain a polynomial h t £ „ 2 ] , where n\ G No is roughly of size 

max{— 2xi, «2 — «i} and ri2 G No is roughly of size max{2x2, «2 — In this last step, 
we reduce to a polynomial h t +\ G £^(2Dc) by brute force. From Corollary 9 (and its 
Phase 2 analogue) we know that there is a q t +\ G , , , , , such that 

& > [-ni+l+Ki,n 2 -l+K2] 

ftt-D(ft+i) G£ (1) (2i? c ), 

so we can compute h t +\ by solving a system of at most (dt — (4)(2(k 2 — ki) +ni +n 2 — 3) 
equations in 

(dt - d b )(K 2 - /si + m + n 2 - 1) + #(2r n Z 2 ) 

unknowns. Here, the latter term equals 4Vol(_T) + #(9r n Z 2 ) + 1 by Ehrhart's theorem 
[13]. 

Solving linear systems over Z q . Let r, s G No and consider a matrix ^4 G Z^ xs and 
a vector d € ZJ. Let N G No denote the p-adic precision up to which is to be computed. 
The aim is to find anxeZ* such that A-x = b mod p N . Note that this is slightly weaker 
than finding the reduction mod p N of an x G Z* such that A ■ x = b (exact equality over 
Zq), but only slightly: from Lemma 11 below it follows that it suffices to increase the 
precision in order to solve this. 

Using Gaussian elimination, where in each step the pivot is taken to have minimal 
p-adic valuation, one can find invertible matrices Ni G Z^ xr , N 2 G Z^ xs such that 

Ni ■ A - N 2 

is a diagonal matrix whose diagonal elements are called the invariant factors of A. We 
then have the following lemma (the proof is immediate). 

Lemma 11. Let 9 G N be an upper bound for the p-adic valuations of the non-zero 
invariant factors of A and let N > 9. Let Xq G Z* satisfy 

A ■ xo = b mod p N . 

Lf there is an x G 7L s q such that 

A - x=b, 

then x can be chosen to satisfy x = xq mod p N ~ e . 
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The method works as follows. First, precompute the invariant factors and the matrices 
Ni and iV 2 (and their inverses) modulo p 2B . In total, we need 0(d 3 n9) time to do this, 
where d = max{r, s} is the dimension of A. 

Now suppose we have an Xo such that A ■ xq = b mod p N for some N > 9. By 
Lemma 11, we can find an x of the form Xo + tp N such that A ■ x = b mod p 2N . To 
this end, we have to find a t such that 

A.t.^-^mod^. 

Let T(N) denote the time needed to solve a linear system (with fixed linear part A) up 
to precision N, assuming it has a p-adic solution. Then 

T(2N) = T(N) + T(N + 9) + 6{d 2 nN). 

Here, the first term comes from the time needed to compute xo. The last term is dom- 
inated by the computation of A ■ xo modulo p 2N . The second term comes from the 
time needed to compute t, given (b — A ■ xo)/p N ~ mod p 2N . Similarly, T(N + 6) = 
T(N) + T(26) + 0{d 2 nN). Using our precomputation and the fact that 6 < N, we have 
that T(20) = 0(d 2 nN). In conclusion, 

T(2N) = 2T(N) + 0(d 2 nN). 

It is obvious that this recurrence relation still holds if N < 9 (again using our precom- 
putation). From a well-known observation in complexity theory (see for instance [45, 
Lemma 8.2.]) we conclude that 

T{N) = 0(d 2 nN). 

Together with our precomputation this results in 0(d 2 nN + d 3 n9) bit-operations. The 
following lemma concludes this section. 

Lemma 12. Let m G No be the level at which the reduction starts, i.e. suppose that the 
polynomial to be reduced is in S^ m , . The p-adic valuations of the non-zero invariant 
factors of the matrices A appearing in our reduction algorithm are bounded by 8 = 
[log p ((m + 2(k 2 - Ki + 1))M + A)] , where 

M = max{±ordp(a;)}p eC \ T 2 and A = max{— ordp(y dt_1 ), — ordp(y d6 )} P(EC \ T 2 . 

PROOF: We claim that A has the following property: if b e p e ^ r q is such that the system 
A-x= b has a solution in Q^, then it has a solution in 7L s q . Since N\ and N 2 are invertible 
over Zq, this property then still holds for the matrix N\ ■ A ■ from which the result 
easily follows. 

For simplicity, we will only prove the claim in case A comes from the system that has 
to be solved during Step 1 of Phase 1. The other cases work similarly. Let b E P®1 r q be 
such that A ■ x = b has a solution in <Q>*. Then b corresponds to a polynomial 

h F 

" c t3 [m-c+l,m+2K 2 -2] 

for which there exists a g E 5 , [m-c-K 2 +2,m-i+K 2 ] suc h that 

h - D{g) E S [0 

,m—c\ ■ 
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By Corollary 8 and Corollary 9 (see the first sentence after the proof of Corollary 9), we 
can reduce this further to eventually obtain a g E S[ Kltm -i+ K2 ] such that 

h-D{g)eC{2Dc). 
Now, let {v\, . . . , v m } be a Q 9 -basis for 

C{2D C ) 
D(C{D C )Y 

As explained in Section 3, this is also a basis for Hp R (C). In any case, we can find a 
go E £{Dc) such that h — D(g) — D(g ) = \iV\ + • • • + X m v m for some Ai, . . . , A m E Q q . 

On the other hand, since h G ^-0+1^+2^-2] we can find a g' E ^ [ ( " 1 \ m+3K2 _ 3] such 
that 

h - D(g') e C{2D C ), 

again by Corollary 8 and Corollary 9. Finally, we find a g' E C{Dc) for which h-D(g') — 

D(g' ) = mv\ H h n m v m for some m, . . . , fj, m € <Q> 9 . 

Using uniqueness, we conclude that D(g + g ) = D(g' + g' ). Hence d(g + go) = 
AD(g + g ) = AD(g' + g' ) = d(g' + g' ) so that g + g and g' + g' only differ by a 
constant. In particular, g' 6 TO _ 1+re i- This concludes the proof. □ 



6 Commode Case 

In this section we discuss the simplifications for a nondegenerate curve with commode 
Newton polytope. Note that in practice, this is the most common case. 

Definition 5. Let K be a field. A bivariate polynomial f E K[N 2 ] is called commode if 

VSc{x,y}:dimr(f s ) = 2-\S\, 

where fs denotes the polynomial obtained from f by setting all variables in S equal to 
zero. 

The above definition simply means that the Newton polytope r(f) contains the origin, 
a point (a, 0) with a E No and a point (0, b) with b E No- 

In the remainder of this section we will assume that / E F g [N 2 ] is commode and 
nondegenerate with respect to its Newton polytope r, in the following sense. A first 
consequence of the assumption of commodeness is that A| is canonically embedded in 
Xr, the toric compactification of Tp with respect to r. As such, we can consider Jf as 
a compactification of the affinc plane, instead of the torus. Therefore we will work with 
a notion of nondcgcncratcness that is slightly weaker than the one given in Section 2: it 
is no longer necessary to impose the nondegenerateness conditions with respect to the 
faces lying on the coordinate axes. However, we now should explicitly impose that / 
defines a nonsingular curve in Ajj . For the remainder of this section, we will use this 
new notion of nondegenerateness. The main geometrical difference with the old notion 
is that now we allow our curve to be tangent to the coordinate axes. It is also clear 
that in practice all elliptic, hyperelliptic and C a b curves can be given by an equation 
that is nondegenerate in the above sense. An important remark is that Corollary 5 and 
Corollary 6 still hold under this weaker condition: the proof of Theorem 3 can be adapted 
to the above situation. 
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Now, let C denote the nonsingular curve V(f), i.e. the closure in Xp of the locus of 
/ in Ap . Instead of transforming the curve to the setting described in Section 3, we will 
now work with / itself. If we furthermore assume that / is monic in y, we obtain similar 
consequences as in Section 3, i.e. 

1. the set S := {x k y l \ k,l e N, < I < d y } with d y = dcg y J is an F 9 -basis for EaEp; 

2. every bivariate polynomial in F 9 [N 2 ] has support in mT for some big enough m G N. 



Cohomology of Commode Nondegenerate Curves Take an arbitrary lift / G 
Z g [N 2 ] of / with the same Newton polytope T, then / is nondegenerate with respect to 
its Newton polytope T and T is commode. Let C denote the nonsingular curve obtained 
by taking the closure of the locus of / in Xr, then we will compute H^^C D Aq ), 
instead of Hj^^C (~l Tq ). Note that the difference C fl (A 2 ^ \ T 2 ^) consists of d x + d y 
nonsingular points, with d x = deg/(a;,0) and d y = deg/(0,y), which by Theorem 4 
implies that 

dim H^r (CnA^)= dim H X MW (C H A F? ) = 2Vol( J T) - d x - d y + 1 . 

The main difference with the general case is that Theorem 5 needs to be reformulated 
as follows, where A is now -^jp- 

Theorem 7. Every element of D 1 (A) Q 9 is equivalent modulo d(A) Q q with a 
differential form u) with divisor 

Div c H > -Dc-Vc, 

where V c is defined as V c = W c - (T x PI C) — (T y n C) with T x (resp. T y ) the one- 
dimensional torus corresponding to the x- axis (resp. y-axis). 

Proof: Note that the support of the divisor Dc is disjoint from (T x n C) and from 
(T y fl C) since the corresponding Nk are zero, which explains the definition of Vc- The 
proof of Theorem 5 then holds with Wc replaced by Vc- Of course, Vc is still defined 
over Q q . □ 

The definition of A remains the same, but we need to restrict it to C(— Divo(a;) — 
Divo(y)) to obtain a bijection. Indeed, 

mv c (A(h)) = BW c (h) + D C -W C = Div c (/i) + D C -V C - (T x n C) - (T y n C) . 

Note that Div (a;) = T x n C and Div (y) = T y !~) C and that the support of D c - V c 
is contained in C \ Aq ; therefore if A(h) should have no poles on C n Aq , then clearly 
h € £(-Div (a;) - Div (y)). 

Theorem 7 implies that each differential form in D 1 (A) <S>z q Qq is equivalent modulo 
exact differential forms with an u> with divisor Divct^) > — Dc — Vc- Let w = A(h), 
then 

Biv c (A(h)) > -D c -Vc^hE £(2D C - Div (x) - Div (y)) . 

Since the support of D c is disjoint with the support of Div (x) + Div (y), we conclude 
that 

C(2D C - Divo(x) - Div (l/)) = C(2D C ) n £(-Div (x) - Div (y)) = L^ r , 

where L^ r denotes the bivariate polynomials with support in N§ n 2T. By working 
modulo D and /, we finally obtain the following corollary. 
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Corollary 10. If T is commode, then A induces an isomorphism of Q q -vector spaces: 



Lifting Probenius Endomorphism This follows the description given in Section 4, 
with the simplification that we now only need to compute the action of Frobenius on x 
and y. 

Reduction Algorithm The reduction in the commode case corresponds to Phase 1 of 
the general case as described in Section 5. The main difference is that the divisor E m 
simplifies to E m = mDivoo(x); since / is commode, we still have S[ m ] C £(2Dc + E m ), 
since E y = (d y — l)Divoo(?/) < Dc- Furthermore, if we choose k such that 

C(D C + E y + Di Voc (x)) c S l0 , K] , 

then C(D C + E y + E m ) C S[o, m -i+re] and L>(5 [0 , m ]) C Sp.m-i+K]- Tnc remainder of the 
algorithm is then exactly the same with m = and k 2 = k. 

7 Detailed Algorithm and Complexity Analysis 
7.1 Input and output size analysis 

As input our algorithm expects an / g F g [Z 2 ] (q = p n , p prime) that is nondegenerate 
with respect to its Newton polytope r, satisfying conditions 1 and 2 mentioned at the 
beginning of Section 3. A good measure for the input size is 

number of monomials x ( space needed to represent coefficient 

+ space needed to represent exponent vector) 

which is ~ #(r n Z 2 ) • (logg + log 5), where 5 is the degree of /, that is 

mw.{\i\ + \j\\(i,j)er}. 

From a result by Scott [41], that states that #(fnZ 2 ) < 3<? + 7 whenever g > 1, it 
follows that #(r n Z 2 ) is asymptotically equivalent with g. Note that the number of 
points on the boundary R = f^(dr n Z 2 ) is bounded by 2g + 7. 

As output our algorithm gives the characteristic polynomial x(i) := det(T* — It) G 
Z[t] of the Frobenius morphism T* acting on H\ IW {y{f) (~l T 2 /Q q ). A measure for its 
size follows easily from the Weil conjectures. Indeed, its degree equals 2Vo\(r) + 1 and 
2g of its roots have absolute value q 1 / 2 . The other roots correspond to #(<9-T n Z 2 ) — 1 
places lying on V(f) \ T^ q and have absolute value q. Now, since the i th coefficient of 
X(t) is the sum of ^ 2Vol ( r )+ 1 ^ ^-fold products of such roots, we conclude that an upper 
bound for the absolute values of the coefficients is given by 

/2Vol(r) + A g+B-l < 9 2Vol(r)+l n g+R-l 

{ voi(r) ) q ^ 2 q ■ 

Therefore, the number of bits needed to represent is 

O ((2Vol(r) + 1) • log(2 2Vol(r)+1 (? 9+K - 1 )) = 0{ng 2 ) 
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for p fixed. 

Note that the zeta function of V(f) n T§ is then given by 

Z v(/)nT| 5 W - ! _ ^ ■ 

The zeta function of the complete model V(f) can easily be derived from the above. See 
[4] for more details. 

7.2 Asymptotic estimates of some parameters 

We will bound the space and time complexity of our algorithm in terms of n and a set 
of parameters that depend only on r (note that we assume p fixed). In the following, we 
will often state that some property holds for most common polytopes: this is not intended 
to be made mathematically exact. But for instance, the statement will always hold when 
r has a unique right-most and a unique left-most vertex lying on the a;-axis, as well as 
a unique top and a unique bottom vertex lying on the y-axis. 

The most important parameter is of course g, the number of interior lattice points 
of r. During complexity analysis, we can interchange g with the volume of r or with 
the total number of lattice points of r, as they are all asymptotically equivalent. Indeed, 
this follows from Scott's result mentioned above, together with Pick's theorem: 

5<#(rnz 2 ) <3.g + 7 

g < Vol(r) < 2g + 3. 

(given g > 1). Recall that it follows that R = (dr n Z 2 ) < 2g + 7. Another parameter 
is 6, as defined above. We will also make use of the width w, i.e. the maximal difference 
between the first coordinates of two points of r, and the height h, i.e. d t — alb- Of course, 
h,w < 25 < 2w + 2h. For most common polytopes, wh will behave like g. However, 
easy examples show that w, h are in general unbounded for fixed g. For instance, let 
r = Conv{(l, m), (1, m — 1), (—1, — m), (—1, — m + 1)} for some arbitrarily big m E N. 
Then Vol(.T) = 2, while 6 = m + 1. See also Remark 4 below. 

Next, we need xi, Xi £ ^ sucn that C{mDc) C S[ mXl ^ mX2 ] for all m e No- Of course, 
Xi and X2 are determined by the slopes of the top and bottom edges of r. Denote as 
before the top vertex with (c t ,d t ) and let (a, b) be the clockwise-next vertex. Suppose 
that a > c t . Then it is not hard to see that Laurent polynomials with support in the 

upper half plane part of mf reduce (modulo /) into Sj-oo.ror] where r = c t + ^T^F^J ■ 
Now 

dt [ a - C ' ] = (a - ct) + &( ° - C ! ] <w + b(a-c t )<w + 2Vol(r) < 4g + w + 6. 
dt — o dt — o 

The one but last inequality comes from the fact that the triangle with vertices (0,0), 
(c t ,d t ), (a, b) is contained in r. Its volume equals 

ad* -(kb (a - c t )b 
2 ~ 2 

Therefore, r < Ct + Ag + w + 6. Using the same argument for the lower half plane, we 
conclude that C{mDc) C <S'[-oo,m(max(c t ,c il )+4g+u>+6)] • This is definitely also true when 
a < ct. By analogy, C(mD c ) C S[m(min(c t , Cil )-4g-™-6),+oo] , which proves that we can 
take Xi) X2 such that X2 — Xi < 8g + 3w + 12. For most common polytopes, h(\2 — Xi) 
is expected to be 0(g 3 ^ 2 ) (by interchanging x and y if necessary). 
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Strongly related with the foregoing are optimal k,i,k 2 £ <Z such that C(Dc + E y + 
Div oc (a;) + Divo(x)) C S[ Kl , K2 ], see Corollary 9. Note that ±orclp(x) < h and ±ordp(y) < 
w for any place P € C \ Tq : this follows from Corollary 2. Therefore, C{Dc + E y + 
Divoo(x) + Divo(x)) C C((hw + 2h + l)Dc)- By the foregoing, we conclude that we can 
takeK2 — «i = 0{hw{x2 — Xi)) — 0(hw(g+w)), though this is a very rough estimate. For 
most common polytopes, a much better bound holds: we can omit E y (see Remark 3) and 
have that Div^ (x) + Div (x) < 2Dc, so we can use the same bound as above (multiplied 
by 3), i.e. n 2 — K\ = 0{g + w). Again, for most common polytopes h(n 2 — «i) is expected 
to be 0(;? 3/2 ). 

Finally, we will often make use of the trivial estimates g < h(x2 — Xi)> h{n 2 — n\). 



7.3 The algorithm 

Remark 4- In the introductory section, we mentioned that the Soft-Oh notation neglects 
factors that are logarithmic in the input size. From the example given in the above 
subsection, it is clear that factors that are logarithmic in w, h, 5, Xi ~ Xi an d k-2 — Ki need 
not be logarithmic in the input size. Nevertheless, we will omit them during complexity 
analysis. This is mainly for sake of simplicity, but on the other hand we can prove [4] that 
there is some 'optimal' setting of r, to be obtained by stretching and skewing, in which 
w,h ~ g 4 . Hence also S,X2 — Xi an d K 2 — ^i are bounded by polynomial expressions 
in g. Moreover, the reduction to this optimal setting goes very fast, as it is essentially 
Euclid's algorithm for finding shortest vectors in a lattice. 

Remark 5. We assume that / is given as an array of tuples 

(coefficient, exponent vector) 

that is ordered with respect to the second components, so that the coefficient correspond- 
ing to a given exponent vector can be selected in O(l) time. If this is not the case, this 
can be easily achieved using a sorting algorithm. 

STEP 0: compute p-adic lift of /. First note that we assume that ¥ p is represented 
as and that ¥ q is represented as ¥ p /(r(X)) for some monic irreducible degree n 

polynomial r(X). Take r(X) e 7L\X\ such that it has coefficients in {0, ... ,p — 1} and 
reduces to r{X) modulo (p). Then Z q can be represented as Z p /(r(X j). Let 

a n - 1 [X} n - 1 + --- + a 1 [X} + a Q 

be any element of ¥ q . By the canonical lift to Z q , we mean 

a„_ 1 [X]™- 1 + • • • + ai [X] + a , 

where the a,j E {0, . . . ,p— 1} are the unique elements that reduce to cLj mod (p). Finally, 
if / = J2(i. 3 )ez 2 nr bijX l y j , define / = J2(i, 3 )ez 2 nr hjX l y j where the b io are canonical lifts. 

Complexity analysis. This step needs Q(ng) time and space. 



STEP I: determine p-adic precision. Assume that all calculations are done modulo 
p N for some JVeN. What conditions should N satisfy? From the foregoing, it follows 
that it suffices to compute x(t) modulo p N , where 



N > 



/2Vol(r) + 

I voi(r) 
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However, during the reduction process (STEP V.II) there is some loss of precision: to 
ensure that everything remains integral we need to multiply with p e where 

e= \\og p {mM + Aj\ 

with M — max{±ordp(x)}p eC \ T 2 , A = max{— ordp(y dt_1 ), — ordp(2/ df, )}p gC \ T 2 and 

* Qq * Qq 

m = max{|mi|, |w2|} the level at which the reduction starts. Here, m\,m<i £ Z are such 
that the objects to be reduced are in S[ mi)m2 ]. From Corollary 2, it is immediate that 
M < h and A < hw. To see what m is bounded by, note that the objects to be reduced 
have support in (9pN + 5p)T (when computed modulo p N ). Indeed, from STEP V. I we 
see that these objects are of the form 

» f , (^wifl^ -iwiw^) 

- «■ - ^'^Wi) ■ 

where E 2_T. Here a,/? € 7L q \E?\ are Laurent polynomials with support in 2F for 

which 1 = axf x +Pyfy mod / (see Corollary 5). The bound then follows from Theorem 6 
and the remark below it. 

Since L( 9pN+5p ) r C S[( 9pN+5p ) Xu ( 9pN+5p ) X2 ] , we obtain that 

£< [log p ((9piV + 5p)max{|xi|,X2}/i + /iw)] . 

As a consequence, this is a natural bound on the valuations of the denominators appear- 
ing in the matrix of T* (as computed in STEP VII). During STEP VIII and STEP IX, 
our denominators could grow up to p n ( 2Vol ( r )+ 1 ) £ . i n conclusion, it suffices to take N 
such that it satisfies N > 

+ n(2Vol(r) + 1) \log p ((9 P N + 5 P ) max{|xi|, Xi}h + hw)] 
In particular, N = 0(ng). 



STEP II: compute effective Nullstellensatz expansion. In this step, one com- 
putes (up to precision p N ) polynomials a, (3, 7 € Z 9 [Z 2 ] with support in 2F such that 

1 =1 f + ax^- +(3y^-- 
ox ay 

This defines a linear system A ■ x = B that can be solved using Gaussian elimination, 
in each step of which the pivot is taken to be a p-adic unit. This is possible since the 
linear map defined by A is surjective (by Theorem 3). In particular, there is no loss of 
precision. Note that instead of Gaussian elimination, one can use the method described 
at the end of Section 5. In this way, one gains a factor g time. But for the overall com- 
plexity analysis this makes no difference. 

Complexity analysis. Selecting the entries of A takes 0(g 2 ) time (see Remark 5). One 
then needs 0(nNg 3 ) = 0(n 2 g 4 ) time and Q(nNg 2 ) = 0(n 2 g 3 ) space to solve the system. 
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STEP III: compute lift of Frobenius . Take lifts S, S x , S y E Z 9 [Z 2 ] of j p , a p , J? and 
compute a zero of the polynomial 

H(Z) = (1 + S x Z) a (l + S y Z) b r(xP(l + 5 X Z), yP(l + 5 y Z)) 

(as described in Section 4) up to precision^, using Newton iteration and starting from 
the approximate solution 0. Reduce all intermediate calculations modulo / to the basis 
{ x l yi \db < j < d t } (this is why the terms — (a5 x + bS y — S)f p Z — f p , that were added 
for theoretical reasons, can be omitted in the formula for H{Z)). Finally, if we denote 
the result by Zo, expand Z x := 1 + 5 x Zq, Z y := 1 + 8 v Zq and compute their inverses 
up to precision p N using Newton iteration (again reduce the intermediate calculations 
modulo /). Note that if we take a and b minimal, then degH < w + h. 

Complexity analysis. Remark that it is better not to expand the polynomial H(Z) 
(nor its derivative j^-(Z)), but to leave it in the above compact representation. The 
reason is that the expanded versions of H and ^ are very space-costly. 

A similar complexity estimate has been made in [9] . The complexity is dominated by 
the last iteration step, which in its turn is dominated by 0(g) computations of terms of 
the form 

(i + s x z'y(i + s y zy 

where Z' E S[ 6pNxi ^ pNx2 ], i E {0, ...,w} and j E {0,...,h} (because of (14)). Note 
that reducing a polynomial with support in [6pNxi, dpNx2] x [ — Arfb, A(dt — 1)] (for some 
A G No) to the basis mentioned above can be done in 0(XhN(x2 — Xi) ' 9 1 nN) = 
0(\n 3 g 3 h{x2 — Xi)) time (at least if we know that all intermediate results are supported 
in [6pNxi, 6pNx2] x Z modulo p N ). Therefore, the overall time complexity of STEP III 
amounts to 0(n 3 g 4 h(x2 — Xi))i whereas the space complexity is 0(n 3 g 2 h(x2 — Xi))- 
Note that this indeed dominates the time and space needed to compute the Frobenius 
substitutions, each of which can be done in 0(n ■ nN) time (see e.g. [6, Section 12.5]). 

The complexity of computing Z x ,Z y , Z^ 1 , Z y x works similarly and is dominated by 
the above. 



STEP IV: 'precompute ' J-*(dx/xyf y ) . Here, J-* is the Q g -vector space endomorphism 
of i?c(C H Tq^) induced by T v . Note that dxj f y = fiydx — axdy. Thus T*(dx/xyf y ) = 



J r p (x)dx T p (x)dy ' J \T p {y)dx f p (y)dy 

However, as will become clear in the following step, it is more natural to precompute 

E := Vf v U(fi)f^-^a)^)-xf x - • 

V T p (x)dx T p (y)dx) \ T p {x)dy v T p (y)dy ) 

Furthermore, this object has nicer convergence properties, in the sense that it is sup- 
ported modulo p N in an easy to determine multiple of r ((9pN + 3p)T to be precise). 
Therefore, we have a good control (in terms of Xi and % 2 ) on the size of the objects we 
are computing with. 



Complexity analysis. The complexity of this step is dominated by the computation 
of O(g) expressions of the form Z x Z y , where \i\ and |j are O(S). As before, this results 
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in 0(n 3 g 4 h(x2 — Xi)) time and 0(n 3 g 2 h(x2 — Xi)) space. 
STEP V: for every E IT: 

STEP V.I: let Frobenius act on x l y 3 . In this step, one actually computes 

a-\t;{a{xY)))- 

Note that J r *(A(x l y J )) is given by J r p (x l y J )J r *(dx/xyf v ). To translate back, if 

Fp( A ( xl y J )) = 9ijsdx + g tJ , 2 dy 

then 

A- l {T;(A{x l y 3 ))) = xy{f y g ijA - f x g ijt2 ). 

Therefore, we output 

where E is the expression that was precomputed during the foregoing step. 

STEP V.II: reduce modulo D. Using the method described in Section 5, reduce the 
output of the foregoing substep (after multiplying with p £ ) to obtain polynomials <E 
£ (1 ^(2Dc) C L^p- Note that we want our output to be supported in 2_T: at this stage, 
we are no longer interested in the reduction to the basis { x l y 3 \d\, < j < d t }. 

Complexity analysis. The complexity of the first substep can be estimated using a 
method similar to what we did in STEP IV, resulting in 0(n 3 g 3 h(x2 — Xi)) time (per 
monomial) and 0(n 3 g 2 h(x2 — Xi)) space. For the second substep, it suffices to analyze 
the complexity of Phase 1 and Step t+1, as described in Section 5. During Phase 1, one 
needs to solve systems of size ~ h(2n2 + c). Therefore, it is optimal to choose c = K2- 
The number of systems to be solved is then bounded by m/c — m/n2- Using similar 
estimates for Phase 2 and using the analysis made at the end of Section 5, this results 
in a use of 

0(h 2 (K 2 - ki)(X2 - Xi)nN 2 + h 3 (n 2 - n 1 ) 2 ( X 2 - Xi)nJV) 

time before proceeding to Step t+1. In this final step, one needs to solve a linear system 
of size 0(/imax{K 2 — K i,X2 — Xi}); resulting in a time-cost of 

0(h 2 (max{« 2 - «i, Xi ~ X\\f nN + h 3 (max{K 2 - «i, X2 - Xi}) 3 «)■ 

The extra space needed during Phase 1 and Step t+1 is 

0(h 2 (max{K 2 - Ki, X2 - Xi}) 2 nN), 

though this will in general be dominated by the space needed to store the polynomial h 
that is to be reduced, which is 0(n 3 g 2 h(x2 — Xi))- 

Since substeps V.I and V. II have to be executed for 0(g) monomials, we obtain the 
following global estimates for STEP V: a time-cost of 

0(n 3 g 3 h 2 (maxj> 2 - «i, X2 - Xi}) 2 + n 2 g 2 h 3 (max{« 2 - k u Xi ~ Xi}) 3 ) 

and a space-cost of 0(n 3 gh 2 (max{ft2 — K i,X2 — Xi}) 2 )- 

Note that our time-estimate dominates the time needed to actually compose the sys- 
tems that are to be solved. 
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STEP VI: compute a Z^-basis of M H = ( ^n^m ' Note that from thc proof of 
Lemma 6, we have that C 
to compute a Z 9 -basis of 



(D(C(D c ))y 



Lemma 6, we have that £(°\mDc) = 1^ for any m G No. Therefore, we actually have 



r(0) 



(D(L r ) + fL r f y 



Consider the module D(Lp^) + fLp^ and express a vector A whose entries are the genera- 
tors {D(x l yi), fx 1 !/!},. ^ ernI 2 m terms of a vector B whose entries are {x r y s }^ r s ^ e2 rr\Z 2 '- 



A = E ■ B. 



Now compute Z 9 -invertible matrices N\ and N 2 (and their inverses) such that N\ ■ E ■ N 2 
is a diagonal matrix. Its non-zero entries are the non-zero invariant factors of E and will 
be denoted by di, . . . , d(. If we write 

JVi • A = m ■ E ■ N 2 ■ N^ 1 ■ B, 

we see that the entries of N 2 X -B form a basis {/i, . . . , fk} of L 2 °p such that {di/i, . . . , defy} 
is a basis of D(Lp^) + fLp\ It is then easily seen that {fi, ■ ■ ■ , fe} is a basis of 
(D(L r ) + fL r ) m . Finally, {f e+1 , . . . , /*} is a basis of M H . 

When computing modulo a finite precision, some caution is needed: to determine 
fe+i, ■ ■ ■ , fk modulo p N , it docs not suffice to do the above computations modulo the 
same precision. During this step (and only during this step), we need to compute modulo 
pN+Na^ wncrc tv — [£n\og p (£whnp)\ + 1 = O(N). Indeed, we claim that A^ is a strict 
upper bound for the p-adic valuation of any non-zero (I x^)-minor of E. As a consequence, 
the valuations of thc non-zero invariant factors d\, . . . , d^ are also^ strictly bounded by 
No- Therefore, we will be able to find invertible matrices N\ and N 2 such that 

N-l-E- AV 1 

is congruent modulo p N+N ° to the above diagonal matrix. The 'basis' {fe+i, ■ ■ ■ , fk} 
we find in this way corresponds modulo p N to the basis mentioned above: if we would 
want to finalize the above diagonalization (which was only carried out modulo p N + N " ) ; 
we would need to subtract from the fi Laurent polynomials with coefficients divisible 
by p( N+N °) /p N ° = p N . Actually, one can check that {fe+i, • ■ • , fk} is a basis itself, but 
we won't need this. If in STEP VII we write fe+i, ■ ■ ■ , fk and N 2 , we actually mean the 
reductions mod p N of fe+i, ■ ■ ■ , fk and N 2 that were computed this way. 

It remains to prove the claim, i.e. the p-adic valuation of any non-zero (t x ^)-minor 
of E is strictly bounded by Nq. Let r(X) be the polynomial from STEP and let 9 G C 
be a root of it. Consider K = Q(8) and let Ok be its ring of algebraic integers. Then 
p = (p) C Ok is a prime ideal and the p-adic completion of K can be identified with Q q . 
Under this identification, E has entries 

n-l 

where the o; 6 Z satisfy |a,| < 2whp. Since the complex norm of any root of r(X) is 
bounded by p by Cauchy's bound, we conclude that the entries e of E satisfy 

\^ii\K < nwhp n < (whnp) n 
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for any archimedean norm • \k on K that extends the classical absolute value on Q. 
Since an (I x ^)-minor m is the sum of l\ £-fold products of such entries, it follows that 

\m\ K < {£whnpf n . 

Since m is an algebraic integer, from the product formula we have 

\m\~ n < Y[ \m\ K < (£whnp) en2 

(if m 7^ 0), where | • | p is scaled such that |p| p = 1/p and where the product is over all 
archimedean norms | • \k on K, to be counted twice if it comes from a non-real root of 
r(X). From this we finally get that ord p m < £n\og p (£whnp). 

Complexity analysis. This step needs 0(g 3 ) ring operations, each of which takes 
0(nN) time. Therefore, the time complexity of this step is 0(n 2 g 4 ) while the space 
complexity amounts to (J(n 2 g 3 ). 

STEP VII: compute a matrix of p-th power Frobenius . From STEP V, we know that 
p e x l yi is mapped to r,j. Therefore, it is straightforward to compute the action of Frobe- 
nius on fe+i, ■ ■ ■ ,fk and express it in terms of B: 



( fe+i 

V fk 



F ■ B. 



Since F ■ B = F ■ N 2 - N^ 1 ■ B, we obtain a matrix of Frobenius as p E times an appropriate 
submatrix M of F ■ N 2 . 



Complexity analysis. The complexity of this step is dominated by the computation 
of F ■ N2, which takes 0(n 2 g 4 ) time and 0(n 2 g 3 ) space, and by 0(g 2 ) Frobenius substi- 
tutions, taking an extra 0(g 2 ■ n ■ nN) — <J(n 3 g 3 ) time. 

STEP VIII: compute a matrix of q-th power Frobenius. The matrix p~ £ M of the 
foregoing step is a matrix of T*, which is a Q p -vector space morphism acting on Fl\ lw {Cr\ 

Tq ). A matrix of T* is then given by p-' ne M n where M n = M^ 1 ■ M CT "~ 2 • • • M a ■ M. 

A4 n can be computed using the following method that was presented by Kedlaya 
[23]: let n = ni\\2 ■ . . ttfc be the binary expansion of n and write n' = tiiri2 • • • n^-i, then 
we have the formula 

M n =M a n : +nk -M n : k ■ M nk 
by means of which A4 n can be computed recursively . 

Complexity analysis. Applying some a 1 (i < n) to a matrix of size O(g) takes 
0(g 2 ■ n ■ nN) = 0(n 3 g 3 ) time, if we precompute [A] CT * as a root of the polynomial 
r that defines Z q , using Newton iteration and starting from the approximate solution 
[X] p £ F q . The complexity of STEP VIII is then dominated by O(logn) matrix multi- 
plications and O(logn) applications of some a 1 , resulting in 0((n + g)n 2 g 3 ) time. The 
space needed is 0(n 2 g 3 ). 

STEP IX: output the characteristic polynomial of Frobenius. The characteris- 
tic polynomial x(t) of M n can be computed using the classical algorithm based on the 
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reduction to the Hessenberg form [5, Section 2.4.4]. In each step of this reduction, the 
pivot should be chosen to be an entry under the diagonal with minimal p-adic valuation 
(unless this exceeds the required precision). In this way, no denominators are introduced. 
Write 

2Vol(r)+l 

m = E 

i=0 

Then the characteristic polynomial of T* (or of p~ ns M n ) is given by 

2Vol(r)+l 

X (t)= ]T P^^-^Cif GZ[t]. 
»=o 

This finalizes the description of the algorithm. 

Complexity analysis. This needs 0(g 3 ■ nN) — 0(n 2 g 4 ) time and 0{n 2 g 3 ) space. 

7.4 Main theorem 

The above analysis allows us to reformulate Theorem 1 in more detail. 

Theorem 8. There exists a deterministic algorithm to compute the zeta function of 
a bivariate Laurent polynomial f G F p n[Z 2 ] that is nondegenerate with respect to its 
Newton polytope T , given that the latter contains the origin and has unique top and 
bottom vertices. Let g, h, w, K\, K2, Xi, X2 be as above. Then for fixed p, it has running 
time 

0(n 3 g 3 h 2 (max{« 2 - «i,X2 - Xi}) 2 + n 2 g 2 h 3 (max{K 2 - Ki,%2 - Xi}) 3 )- 

The space complexity amounts to 

0(n 3 gh 2 (max{« 2 - «i,X2 - Xi}) 2 ) 

The O-notation hides factors that are logarithmic in n,g,w and h. For 'most common' 
polytopes, the estimates h{\2 — Xi) ~ h(n 2 — K\) w g 3 / 2 hold, so that the algorithm needs 
0(n 3 g 6 + n 2 g 6 ' 5 ) time and 0(n g ) space. 

Recall from Section 3 that the above conditions on T are not restrictive. Note that 
in the C a b curve case, a better estimate for h{\2 — Xi) = h{n 2 — K\) is g, yielding a time 
complexity of 0(n 3 g 5 ) and a space complexity of 0(n 3 g 3 ). This is the same as in the 
algorithm presented in [9]. 

8 Conclusions 

In this paper, we presented a generalization of Kedlaya's algorithm to compute the 
zeta function of a nondegenerate curve over a finite field of small characteristic. As 
the condition of nondcgcncratcncss is generic, the algorithm works for curves that are 
defined by a randomly chosen bivariate Laurent polynomial with given Newton polytope 
r. It requires 0(n 3 !Pt) amount of time and 0(n 3 \P s ) amount of space, where !f - t,>f - s are 
functions that depend on T only. For non-exotic choices of T, we have that <?t ~ g 6 5 
and &S ~ g 4 , where g is the number of interior lattice points of T (which is precisely the 
geometric genus of the curve), (in fact, if n 3> g, which will usually be the case, we have 
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Wt ~ .g 6 ). In the case of a C a {, curve, we obtain the estimates W t ~ <? 5 and •J's ~ g 3 , so 
that the algorithm works (at least asymptotically) as fast as the one presented in [9] . At 
this moment, the algorithm has not yet been fully implemented. 

In order to develop the algorithm, we proved a number of theoretical results on 
nondcgcncratc curves that are interesting in their own right, for example a linear effective 
Nullstcllcnsatz for sparse Laurent polynomials in any number of variables. Also, we 
adapted the Frobenius lifting technique used in [9] to prove a convergence rate in which 
the Newton polytope r plays a very natural role. 

These results seem to reveal an entirely sparse description of the first Monsky- 
Washnitzer cohomology group and the action of Frobenius on it, though this should 
be investigated further. In particular, during reduction modulo exact differentials we 
loose track of the Newton polytope for complexity reasons. 
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